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Preface 



This volume contains the proceedings of the Fifth International Conference on 
Typed Lambda Calculi and Applications, held in Krakow, Poland on May 2-5, 
2001. It contains the abstracts of the four invited lectures, plus 28 contributed 
papers. These were selected from a total of 55 submissions. The standard was 
high, and selection was difficult. 

The conference programme also featured an evening lecture by Roger Bindley, 
on “The early days of combinators and lambda” . 

I would like to express my gratitude to the members of the Program Com- 
mittee and the Organizing Committee for all their dedication and hard work. I 
would also like to thank the many referees who assisted in the selection process. 
Finally, the support of Jagiellonian University, Warsaw University, and the U.S. 
Office of Naval Research is gratefully acknowledged. 

The study of typed lambda calculi continues to expand and develop, and 
touches on many of the key foundational issues in computer science. This volume 
bears witness to its continuing vitality. 
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Many Happy Returns 



Olivier Danvy 
BRIGS* 

Department of Computer Science 
University of Aarhus 

Ny Munkegade, Building 540, DK-8000 Aarhus C, Denmark 
E-mail: deuivySbrics . dk 
Home page: http://www.brics.dk/~danvy 



Abstract. Continuations occur in many areas of computer science: 
logic, proof theory, formal semantics, programming-language design and 
implementation, and programming. Like the wheel, continuations have 
been discovered and rediscovered many times, independently. In pro- 
gramming languages, they represent of “the rest of a computation” as a 
function, and proved particularly convenient to formalize control struc- 
tures (sequence, gotos, exceptions, coroutines, backtracking, resump- 
tions, etc.) and to reason about them. In the lambda-calculus, terms 
can be transformed into “continuation-passing style” (CPS), and the 
corresponding transformation over types can be interpreted as a double- 
negation translation via the Curry-Howard isomorphism. In the compu- 
tational lambda-calculus, they can simulate monads. In programming, 
they provide functional accumulators. 

Yet continuations are remarkably elusive. They can be explained in five 
minutes, but grasping them seems to require a lifetime. Consequently 
one often reacts to them to an extreme, either loving them (“to a man 
with a hammer, the world looks like a nail” ) or hating them ( “too many 
lambdas”). 

In this talk, we will first review basic results about continuations, start- 
ing with Plotkin’s Indifference and Simulation theorems (evaluating a 
CPS-transformed program yields the same result independently of the 
evaluation order). Thus equipped, we will identify where continuations 
arose and how they contributed to solving various problems in computer 
science. We will conclude with the state of the art today, and present a 
number of examples, including an illustration of how applying the contin- 
uation of a procedure several times makes this procedure return several 
times — hence the title of the talk. 



* Basic Research in Computer Science (www . br ics . dk) , funded by the Danish National 
Research Foundation. 
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From Bounded Arithmetic to Memory 
Management: Use of Type Theory to Capture 
Complexity Classes and Space Behaviour 



Martin Hofmann 

Laboratory for the Foundations of Compnter Science 
Division of Informatics, University of Edinburgh 

Bounded arithmetic [3] is a subsystem of Peano arithmetic defining exactly 
the polynomial time functions. As Godel’s system T corresponds to Peano arith- 
metic Cook and Urquhart’s system PV^ [4] corresponds to bounded arithmetic. 
It is a type system with the property that all definable functions are polynomial 
time computable. 

PVuj as a programming language for polynomial time is, however, unsatisfac- 
tory in several ways. Firstly, it requires to maintain explicit size bounds on in- 
termediate results and secondly, many obviously polynomial time algorithms do 
not fit into the type system. The attempt to alleviate these restrictions has lead 
to a sequence of new type systems capturing various complexity classes (PTIME, 
PSPACE, EXPTIME, LINSPACE) without explicit reference to bounds. Among 
them are Cook-Bellantoni’s [2] and Bellantoni-Niggl-Schwichtenberg’s systems of 
safe recursion [1], tiered systems by Leivant and Marion [12,11], subsystems of 
Girard’s linear logic [6,5], and various systems by myself [9,7,8]. 

The most recent work [10] has shown that one of these systems can be adapted 
to allow for explicit memory management including in-place update while still 
maintaining a functional semantics. 

The talk will give a bird’s eye overview of the above-mentioned calculi and 
then discuss in some more detail the recent applications to memory management. 
This will include recent yet unpublished results about the expressive power of 
higher-order linear functions and general recursion in the context of [10]. These 
results suggests that the expressive power equals |J^DTIME(2” ). 

References 

1. S. Bellantoni, K.-H. Niggl, and H. Schwichtenberg. Ramification, Modality, and 
Linearity in Higher Type Recursion. Annals of Pure and Applied Logic, 2000. to 
appear. 

2. Stephen Bellantoni and Stephen Cook. New recursion-theoretic characterization 
of the polytime functions. Computational Complexity, 2:97-110, 1992. 

3. Samuel R. Buss. Bounded Arithmetic. Bibliopolis, 1986. 

4. S. Cook and A. Urquhart. Functional interpretations of feasibly constructive arith- 
metic. Annals of Pure and Applied Logic, 63:103-200, 1993. 

5. J.-Y. Girard. Light Linear Logic. Information and Computation, 143, 1998. 

6. J.-Y. Girard, A. Scedrov, and P. Scott. Bounded linear logic. Theoretical Computer 
Science, 97(l):l-66, 1992. 
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7. Martin Hofmann. Linear types and non size-increasing polynomial time computa- 
tion. To appear in Theoretical Computer Science. See 

www.dcs.ed.ac.uk/home/papers/icc.ps.gz for a draft. An extended abstract has 
appeared under the same title in Proc. Symp. Logic in Comp. Sci. (LICS) 1999, 
Trento, 2000. 

8. Martin Hofmann. Programming languages capturing complexity classes. SIGACT 
News Logic Column, 9, 2000. 12 pp. 

9. Martin Hofmann. Safe recursion with higher types and BCK-algebra. Annals of 
Pure and Applied Logic, 104:113-166, 2000. 

10. Martin Hofmann. A type system for bounded space and functional in-place up- 
date. Nordic Journal of Computing, 2001. To appear, see 

www.dcs.ed.ac.uk/home/mxh/papers/nordic.ps.gz for a draft. An extended ab- 
stract has appeared in Programming Languages and Systems, G. Smolka, ed.. 
Springer LNCS, 2000. 

11. D. Leivant and J.-Y. Marion. Predicative Functional Recurrence and Poly-Space. 
In Springer LNCS 1214: Proc. CAAP, 1997. 

12. Daniel Leivant. Stratified Functional Programs and Computational Complexity. 
In Proc. 20th IEEE Symp. on Principles of Programming Languages, 1993. 




Definability of Total Objects in PCF and 
Related Calculi 



Dag Normann 

Department of Mathematics 
University of Oslo 

We let PCF be Plotkin’s 0 calculus based on Scott’s |l()lll| LCF, and 
we consider the standard case with base types for the natural numbers and for 
the Booleans. We consider the standard interpretation using algebraic domains. 
Plotkin 1^ showed that a finite object in general will not be definable, and 
isolated two nondeterministic constants PAR and 3,^ such that each computable 
object is definable in PCF + PAR + 3^^. 

The first result to be discussed is 

Theorem 1. If is computable and hereditarily total, then there is a PCF 
definable F C that is also total. 

For details, see m 

Escardo m extended PCF to R — PCF, adding base types for the reals 
and the unit interval J, using continuous domains for the interpretation. 

We investigate the hereditarily total objects and obtain 

Theorem 2. The hereditarily total objects in the semantics for R — PC F posess 
a natural equivalence relation, and the typed structure of equivalence classes ean 
be characterized in the category of limit spaces. 

For details, see jSl 

PAR is definable in R—PCF, but 3^,, is not. It is an open problem if Theorem 
1 can be generalized to R— PCF. 

We will discuss a partial solution of the problem in 

Theorem 3. 3,,, is not uniformly R — PCF -definable from any hereditarily total 
object. 

Uniformly definable will mean that the object is definable by one term from each 
element of the equivalence class. 

For details, see |3 

The final result to be discussed is joint with Christian Rprdam jn|. 

We will compare PCF with Kleene’s classical approach from 1959, and see 
that when we restrict ourselves to /i-recursion in higher types of continuous 
functionals, the differences are only cosmetical. Niggl |3j devised a calculus 
that essentially is 

{PCF - Fixpoints) + PAR + ^-operator. 

Theorem 4. is strictly weaker than PCF + PAR. 
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Categorical Semantics of Control 



Peter Selinger 

Department of Computer Science 
Stanford University 

In this talk, I will describe the categorical semantics of Parigot’s Ayit-calculus [ 7 |. 
The A/r-calculus is a proof-term calculus for classical logic, and at the same time 
a functional programming language with control operators. It is equal in power 
to Felleisen’s C operator |2I1| , except that it allows both a call-by-name and call- 
by-value semantics. The connection between classical logic and continuation-like 
control operators was first observed by Griffin 

The categorical semantics of the A/i-calculus has been studied by various 
authors in the last few years Here, we give a semantics in terms of con- 

trol categories, which combine a cartesian-closed structure with a premonoidal 
structure in the sense of Power and Robinson [B| . The call-by-name A/r-calculus 
(with disjunctions) is an internal language for control categories, in much the 
same way the simply-typed lambda calculus is an internal language for cartesian- 
closed categories. Moreover, the call- by- value Ap,-calculus is an internal language 
for the dual class of co-control categories. As a corollary, one obtains a syntac- 
tic duality result in the style of Filinski there exist syntactic translations 
between call-by-name and call-by-value which are mutually inverse and which 
preserve the operational semantics. 



References 

1. P. De Groote. On the relation between the A/r-calculus and the syntactic theory 
of sequential control. Springer LNCS 822, 1994. 

2. M. Felleisen. The calculi of \„-conversion: A syntactic theory of control and state 
in imperative higher order programming languages. PhD thesis, Indiana University, 
1986. 

3. A. Filinski. Declarative continuations and categorical duality. Master’s thesis, 
DIKU, Computer Science Department, University of Copenhagen, Aug. 1989. 
DIKU Report 89/11. 
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the 17th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Program- 
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5. M. Hofmann and T. Streicher. Continuation models are universal for A/i-calculus. 
In Proceedings of the Twelfth Annual IEEE Symposium on Logic in Computer 
Science, pages 387-397, 1997. 

6. C.-H. L. Ong. A semantic view of classical proofs: Type-theoretic, categorical, 
and denotational characterizations. In Proceedings of the Eleventh Annual IEEE 
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University of Edinburgh, 1997. 




Representations of First Order Function Types 
as Terminal Coalgebras 



Thorsten Altenkirch 

School of Computer Science and Information Technology 
University of Nottingham, UK 
txaScs . nott .ac.uk 



Abstract. We show that function types which have only initial algebras 
for regular functors in the domains, i.e. first order fnnction types, can 
be represented by terminal coalgebras for certain nested functors. The 
representation exploits properties of tj°*’-limits and local cu-colimits. 



1 Introduction 

The work presented here is inspired by discussions the author had some years 
ago with Healfdene Goguen in Edinburgh on the question Can function types 
he represented inductively? or maybe more appropriately: Can function types be 
represented algebraically?. 

In programming and type theory the universe of types can be divided as 
follows: 

— function types (cartesian closure) 

— algebraic types 

— inductive types (initial algebras) 

— coinductive types (terminal coalgebras) 

In programming the difference between inductive and coinductive types is often 
obliterated because one is mainly interested in the collection of partial objects 
of a certain type. Inspired by Occam’s razor it would be interesting if we could 
explain one class of types by another. Here we try to reduce function types to 
algebraic types. 

The first simple observation is that function spaces can be eliminated using 
products if the domain is finite. Here we show that function spaces A ^ B can 
be eliminated using coinductive types if the domain A is defined inductively. 
It is interesting to note that ordinary coinductive types are sufficient only for 
functions over linear inductive types (i.e. where the signature functor has the 
form T{X) = Ai x X + Ho) but in general we need to construct functors defined 
by terminal coalgebras in categories of endofunctors. Those correspond to nested 
or nested datatypes which have been the subject of recent work jHM98IA Hhhl 

mm- 
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1.1 Examples 

We give some examples which are instances of our general construction , propo- 
sition 0 We use the usual syntax for products and coproducts and fiX.F{X) to 
denote initial algebras and vX.F{X) for terminal coalgebras. See section |2| for 
the details. The isomorphisms stated below exist under the condition that the 
ambient category has the properties introduced later, see section 0 A category 
which satisfies these properties is the category of sets whose cardinality is less 
or equal Hi. Note that this category is not cartesian closed. 



Natural Numbers. Natural numbers are given by Nat = /xA.l -|- A, i.e. they 
are the initial algebra of the functoi0 T{X) = 1-1- A. We have that 

(^A.l -b A) ^ B ~ vY.B X A, 

where vY.B x A is the terminal coalgebra of the functor T'(A) = B x X — this 
is the type of streams or infinite lists over B. 

Using the previous isomorphism we obtain a representation of countable or- 
dinals using only algebraic types. The type Ord = fiX.l -b A -b (Nat — t> A) can 
be represented as 

Ord ~ ^X.l -b A -b ixY.X X A 

Note, however, that there is no representation for functions over Ord and hence 
there seems to be no representation of the next number class using only coin- 
ductive types. 



Lists. We assume as given a type A for which we already know how to construct 
function spaces. Then lists over A are given by List(A) = /iA.l -b A x A and we 
have 



(/rA.l -b A X A) ^ B ~ lyY.B x (A A) 

The right hand side defines i?-labelled, A-branching non-wellfounded trees. Com- 
bining this with the first case we obtain a representation for functions over lists 
of natural numbers: 



List(Nat) — >■ B ~ vY.B x Nat — A 

~ vY.B X {vZ.Y X Z) 



^ We only give the effect on objects since the morphism part of the functor can be 
derived from the fact that all the operations we nse are functorial in their arguments, 
i.e. T can be extended on morphisms by T(/) = 1 -b /. 
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Binary Trees. By considering functions over binary trees BTree = ^X.l + X x 
X we leave the realm of linear inductive types. The type of functions over trees 
is given by: 



(/rX.l + XxX)^ B:^ {vF.AX.X x F{F{X))){B) 

Here the right hand side is read as the terminal coalgebra over the endofunctor 
H (F) = AX.X xF{F{X)) on the category of endofunctors. There seem to be two 
ways to extend to morphisms, i.e. given a natural transformation a € F ^ G 

Hi{a)A = X {G{aA) o ufa) 

H2{a)A = q;a X {acA ° F{aA)) 

However, it is easy to see that the naturality of a implies Hi{a) = H 2 {a). 

The type uF.AX.X x F{F{X)) has a straightforward representation in a 
functional programming language like Haskell which allows nested datatypes. 
A variation of this type, namely ^F.AXA + X x F{F{X)), is used in jHMh8| 
as an example for nested datatypes under the name Bushes. We can represent 
vF.AX.X X F{F{X)) as 

data BTfun x = Case x (BTfun (BTfun x)) 

Here we consider only total elements of a type which entails that we have to 
differentiate between inductive and coinductive interpretations of recursively de- 
fined type. We interpret BTfun coinductively, which is sensible since the inductive 
interpretation is empty. 

We assume that binary trees BT are defined as 

data BT = L I Sp BT BT 

This time we interpret the type inductively! 

The two parts of an isomorphism which we call lamBT and appBT can be 
programmed in Haskell 0 : 

IcimBT : : (BT — ^ a) — >■ BTfun a 

IcimBT f = Case (f L) (lamBT (A t — > laimBT (A u — ^ f (Sp t u)))) 

appBT : : BTfun a — >■ BT — ^ a 

appBT (Case a f) t = case t of L — > a 

Sp tl tr appBT (appBT f tl) tr 

Since we use polymorphic recursion it is essential to give the types of the two 
functions explicitly. 

We take the liberty of writing A for \ and — >■ for ->. 



2 



Representations of First Order Function Types as Terminal Coalgebras 



11 



Finite Trees. As a last example we shall consider functions over finitely branch- 
ing trees which are interesting because they are defined using interleaving in- 
ductive types, i.e. 



FTree = /iA.List(A) 

= giX.ijY.l + X X Y 

The function type over finite trees can be represented as follows: 

(^A.^y.l + X xY) ^ B ~ {vF.vG.AZ.Z x F{G{Z))){B) 



1.2 Related Work 



After having completed most of the technical work presented in this paper it was 
brought to our attention that Ralf Hinze had already discovered what amounts to 
essentially the same translation in the context of generic functional programming 
[IHinOObiHinOOaj . His motivation was of a more practical nature: he was looking 
for a generic representation of memo functions. One of the anonymous referees 
pointed out that this construction was anticipated in a note by Geraint Jones 

ConnHi- 

The present paper can be viewed as providing a more detailed categorical 
underpinning of Hinze ’s construction. In some regards however, our approaches 
differ fundamentally: 



— We adopt a categorical perspective in which functions are total, in that 
exponentiation is right adjoint to products, where Hinze deals with partial 
functions (and hence a monoidally closed structure). 

— As a consequence of this we differentiate between inductive and coinductive 
types. It also means that we cannot use fixpoint induction (as suggested by 
Hinze) but have to rely on using w-limits and colimits explicitly. 

— We show the existence of the exponentials whereas Hinze only shows that 
they are isomorphic to already existing ones. 

— Hinze’s programs require 2nd order impredicative polymorphism whereas our 
construction takes place in a predicative framework (compare also section 

EJ. 
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context. Dirk Pattinson provided valuable feedback on a draft version. I would 
also like to thank the anonymous referees whose comments I tried to incorporate 
to the best of my abilities. 
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2 Preliminaries 



We work with respect to some ambient category C whose properties we shall 
make precise below. We assume that C is bicartesian, i.e. has all finite products 
(written l^AxB) and finite coproducts (written 0, A+B). We write £ A — >■ 1 
and ?^ £ 0 — )> A for the universal maps. Notationally, we use — >■ for homsets 
and => for exponentials. We do not assume that C is cartesian closed. 

We assume the existence of w°P-limits and tu-colimits. Here lo stands for 
the posetal category (w, <) and by w°P-completeness we mean that limits of all 
functors F £ — >■ C exist, i.e. 

A ^ lim(F) ~ A{A)^F 

where A(A) = AX. A is the constant functor. We write wp £ Z\(lim(F)) — >■ F for 
the projection and for the back direction of the isomorphism: prod^(a) £ A — > 
lim(i^) given a £ A{A)^F. 

Dually, by tu-cocompleteness we mean that all colimits of functors £ w — >■ C 
exist, i.e. 



colim(J^) — )> A ~ F^A{A) 

We write inj^. £ F^Z\(colim(F)) for the injection and for the inverse case(a) £ 
colim(i^) — >■ A given a £ F^A(A). 

A functor T £ C — >■ C is called w°P-continuous (w-cocontinuous) if it preserves 
all w°P-limits (w-colimits) up to isomorphism. We write 

Ft £ T(lim(i^)) ~ lim(T o F) 

£ T(colim(F)) ~ colim(T o F) 

It is easy to see that coproducts preserve colimits and products preserve limits 
and hence the appropriate operations on functors are (co-) continuous. We will 
later identify the precise circumstances under which products preserve colimits. 

Given an endofunctor T £ C — >■ C the category of T-algebras has as objects 
(A £ C, / £ T(A) — >• A) and morphisms h £ (A,/) — >• {B,g) are given by 
h G A ^ B s.t. g o T{h) = ho f. We denote the initial T-algebra by {g,T,iiiT £ 
T{gT) — )> gT). Given any T-algebra (A,/) the unique morphism (often called 
a catamorphism) is written as foldT(/) £ gT — >■ A. Dually, the category of T- 
coalgebras has as objects (A £ C, / £ A — >• T(A)) and morphisms h £ (A, /) — >• 
(B,g) are given by /i £ A — >■ T s.t. g o h = T{h) o f. The terminal T-coalgebra 
is written as (z/T, out^ £ z^T — >• T{vT)) and given a coalgebra (A, /) the unique 
morphism (often called anamorphism) is written unfoldT(/) £ A — >■ vT. 

For completeness we review some material from |Ada74IFS78j Given an end- 
ofunctor T £ C — >■ C and i G uj we write T® £ C — >■ C for the ith iteration of T. 
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We define ChainT G cu —>■ C and Chain^ G aj°P — >■ C: 

ChainT(f) = T*(l) 

Chain7"(i ^ j) ^ (-ChainTd— d) 

Chain^(i) = r(0) 

Chain^(i > j) = (?chain^(*-i)) 



Proposition 1 (Adamek,Plotkin-Smyth). Given a complete and 
Lo-cocomplete category C and an an endofunctor T G C — >■ C we have that: 

1. If T is oj-cocontinuous then the initial algebra exists and 

mu(T) ~ colim(Chain^). 

2. If T is u!-continuous then the terminal coalgebra exists and 

v{T) ~ lim(Chainr) 



3 Locality 

Since we do not assume that our ambient category is closed we have to be more 
precise w.r.t coproducts, colimits and initial algebras. We require that all those 
concepts exist locally. Given an object F which corresponds to a type context the 
local category wrt. F has the same objects as C and as morphisms f G F x A ^ 
B. The local identity is just the projection tt 2 G F x A ^ A and composition of 
f G F X A ^ B and gGFxB^C is given by 5 o (1, /) G P x A — >• (7. We say 
that X are local , if X exists in all local categories and coincide with global X. 
A local functor is given by a function on objects and a natural transformation: 

st"^ G (r X A ^ B)^{F X T{A) T{B)) 

natural in F which preserves local identity and composition: 

St^(7T2) = 7T2 

St^(5 0 (1,/)) = St^(5) O (l,St^(/)) 

where f G F x B ^ C and g G F x A ^ B. 

Alternatively this can be formalized via a natural transformation 

^r,A e P X T{A)^T{F x A) 

subject to the appropriate conditions but this can easily be seen to be equivalent. 

Traditionally, local functors are called strong We diverge from this 

use because we want to apply the idea of locality also to other concepts like 
colimits and coalgebras and here the word strong is already used to signal that 
the uniqueness condition holds. 
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Proposition 2. 

1. Products are local. 

2. oj -limits are local. 

3. Terminal coalgebras of local functors are local. 

Proof. (Sketch): 3. Given a local T-coalgebra f G P x A ^ T{A) the local unfold 
is given by 



unfold^ (/) G r X A ^ vT 
unfold^ (/) = unfoldT(6»J^,A ° (1> /)) 

However, the same does not hold for coproducts, colimits or initial algebras. 
E.g. coproducts are not local in CPOj^. This asymmetry is caused by the fact 
that the notion of local morphisms is not self dual. 

Local coproducts are given by the following families of isomorphisms: 

r X 0 ~ 1 

P x{A + B) -gX ~{PxA^X)x{rxB^X) 

natural in P. Given a functor F G uj°^ — >■ C (not necessary local) the w-colimit 
is local if the following family of isomorphisms exist: 

P X colim(F) ^ C ~ A{P) x F^A{C) 

We say that a functor is locally cocontinuous if it preserves local colimits 
and again it is easy to see that local coproducts preserve local colimits. In the 
special case of local w-colimits we also have 

Proposition 3. Products preserve local uj-colimits: 

colim(F) X colim(G) ~ colim(E x G) 

Proof. (Sketch) For simplicity we only consider the case of T = 1. Using locality 
we show that 

colim(F) X colim(G) A cx (A{i,j) G lo x LU.F{i) x G{j))^A{A) 

Using the fact that either i < j or j < i we can show that the right hand side is 
isomorphic to 



{Ai G uj.F{i) X G{i))^A{A) 

Assuming that T is a local endofunctor, a local T-algebra with respect to F is 
given hy f G F X T{A) — >■ A and given another local algebra g : F x T{B) — >■ B 
then a morphism h G f ^ g is given hy IiGFxA^B s.t. h o (1,/) = 
g o (l,st(/i)). Saying that an initial algebra {p.T,mT G T{pT) -G pT) is local 
means that inr o tt 2 G F x T{pT) — >■ pT is an initial local T-algebra. 
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Definition 1. We call a category C locally oj-bicomplete if the following condi- 
tions hold: 

1. C has all finite products. 

2. C is o;°P-complete, i.e. it has all w°P-limits. 

3. C has all local finite coproducts. 

4. C is locally w-cocomplete, i.e. it has all local w-colimits. 

We assume that the ambient category C is locally w-complete. We note that the 
initial algebra representation theorem can be localized: 

Proposition 4. Given a cocontinuous local endofunctor T : Then in the presence 
of local uj-colimits the representation of proposition^ gives rise to a local initial 
algebra. 

Finally, we remark that the reason that the question of locality has so far 
got only very little attention in programming language theory is because here 
the ambient category is usually assumed to be cartesian closed and we have: 

Proposition 5. Assuming that our ambient category C is cartesian closed we 
have 

1. Coproducts are local. 

2. uj-colimits are local. 

3. Initial algebras of local functors are local. 

Proof (Sketch): 3. Let 

app^ ^ G F X (F t4) — ^ A 

^r,A(f) € B ^ (r => A) given f G P x B ^ A. 

be twisted versions of the usual morphisms. Now, given f G P x T{A) — >■ A we 
define 



fold5-(/) = app(foldT(A(/ost(app)))) 
G P X p.{T) -A A 



4 The fi-u Property 

We shall now establish the main technical lemma of this paper which relates 
function spaces whose domains are initial algebras to terminal coalgebras. We 
say that an object A £ C is exponentiable if for all F £ C: A => S exists and 
there is an isomorphism 



PxA^B~P^A^B 

which is natural in P. We define C* as the full subcategory of exponentiable 
objects. 
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Given a functor F G o;°p — >■ C* and an object C G C we define 

F ^ C Glu 

{F^C){i) = F{i) ^ C 
Note that F ^ C ^ F ^(C)- 

Lemma 1. 



F X colim(_F) C F ^ lim(F =J> C) 

natural in F. 

Proof. Straightforward unfolding of definitions. 

Note that local colimits are essential here. We also know that limits in functor 
categories can be calculated pointwise: 

Lemma 2. Let F G co —>■ (C ^ C) then we have 

\iYa{F){C) ~\iia{Ai.F{i,C)) 



natural in C. 

Lemma 3. Given an uj-cocontinuous local functor F G C* — >■ C* which pre- 
serves exponentiability and an uj-continuous functor G G (C C) — >■ (C C) 
s.t. for all exponentiable objects A 

F{A) ^ B ~G{AX.A^ X){B) (H) 

which is natural in B then we have: 

1. For all i G to: 



Chain^(i) ^ G ~ ChainG(t)(G) 



natural in C . 

2 . 



F X p.{F) -gC-F^ {i'G){C) 

natural in F,C. 

Proof. 

1. By induction over i: 

0 

Chain^(O) ^ G = 0 ^ G 

~ 1 Since 0 is local. 

= ChainG(0)(G) Since ChainG(O) = Z\(l). 
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i + 1 



2 . 



Chain^(f + 1) ^ C = J^(Chain^(f)) ^ C 

~ G(ylX.Chain^(i) ^ X){C) (H) 

~ G(ChaiiiG(i))(G) ind.hyp. 

~ ChainG(i + l)(G) 



r X fJ.{F) C r X colim(Chain'^) — >■ G 
- G ^ lim(Chain^ ^ G) 

~ G ^ lim(ChainG)(G) 

^r^v{G){C) 



by prop. 0 
by lemma n 
by 1. 
by prop, n 



5 The Representation Theorem 

We will now establish that function spaces whose domain is an inductive regular 
type can be isomorphically represented by coinductive nested types. 

The set of inductive regular functors of arity n: XAfDn C C" — ?> C is induc- 
tively defined by the following rules: 

0 < t < n 

AX.Xi € XJ\fVn ^ XJ\fVn 

F,G€ XMVn 

AX.F{X) + G{X),AX.F{X) x G(X) e XMV^ 

F G XAfT>n+i 
AX.fiY.F{X,Y) G XAfVn 

An inductive regular type is just an inductive regular functor of arity 0. 

Proposition 6. All inductive regular functors are local and locally uj- 
cocontinuous. 

Proof. (Sketch) : By induction over the structure of XJ\fX). Locality simply follows 
from the fact that we use local coproducts and colimits and that projections and 
products are local anyway. 

tu-cocontinuity follows from the fact that local coproducts preserve colimits 
and local initial algebras preserve local colimits since they correspond to local 
colimits (proposition 01) . The case of products is covered by proposition 0 
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We now define the set of coinductive nested functors of arity n: COXAfVn C 
(C C)" — >■ C C inductively: 

0 < t < n 

AF.F, G COIAfVn AF,X.1,AF,AX.X G COXAfVn 

G,H G COXAfVr, 

AF, X.G{F, X) X H{F, X),AF.G{F) o G{F) G COXNVq 

G G COXAfVn+i 
AFmH.G{F,H) g COXAfVn 

A coinductive nested type is a coinductive nested functor of arity 0 applied to 
any type (i.e. definable object). 

Proposition 7. All coinductive nested functors are continuous. 

Proof. (Sketch): Follows from the fact that products and limits preserve limits. 

We now assign to every inductive regular functor F G XAfT>n a coinductive 
nested type F G COXAfX>n which represents the function space in the sense 
made precise below. 

F{X) = w HH) = H, 

F{X) = 0 F{H) = AX.l 

F{X) = Fi(X) + F 2 {X) F{H) = AX.Fi{H) x F^iH) 

F{X) = 1 F{H) = AX.X 

F(X) = Fi(X) X F 2 (X) F{H) = Fi{H) o F 2 {H) 

F{X) = fiY.F'{X, y) F{H) = vG.F'{H, G) 

Proposition 8. Given F G XAfT>n and A G C* define Hi = AX.Ai X. We 
have that 



r X F{A) ^ B:^r ^ F{H, B) 



which is natural in B 



Proof. By induction over the structure of F: 

FiiX)) = X, 



P X F{A) -gB = PxA,^B 
cx P -G Ai ^ B 
= r^F{H,B) 
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F{X) = 0 

r X F{A) ^ B = F xO ^ B 

~ T — 1 strong initial object 

= F^ F{H,B) 

F{X) = Fi{X) + F2{X) 

F X F{A) B = F X Fi{A) + F2{A) -> B 

(F X Fi(A) — >■ -B) X (B xF 2 {A)^B) strong coproducts 
~ {F ^ Fi{H,B)) X {F ^ F 2 {H,B)) ind.hyp. 

cxF^Fi{H,B) X Mh,B) 

= F-^ F{H,B) 

F{X) = 1 

F X F{A) -^B = Bxl-^B 
~F^B 
= F ^ F{H,B) 

F{X) = Fi{X) X F2{X) 

F X F{A) B = F X Fi{A) x F 2 {A) B 
~ B X Bi(A) ^ F2{A) B 
~ B ^ Bi(A) B2(A) ^ B 
c^F^Fi{H,F 2 {A))^B) ind.hyp(Bi) 

cxF^Fi{H,F 2 {H,B)) ind.hyp(B 2 ) 

= F ^ {A{H) o F 2 {H)){B) 

= F->- F{H,B) 

F{X)=fiY.F'{X,Y) 

F X B(A) B = F X fiYF'{A, Y) ^ B 

~F^{vG.F'{H,G)){B) (*) 

= F^F{H,B) 

To justify (*) we apply lemma|2l2. to AY.F'{A, Y) and AG.F'{H, G). Preser- 
vation of exponentials and (H) follows from the ind.hyp. 



Corollary 1. Every function space A ^ B where A C IAfT>Q is an inductive 
regular type can he represented as a coinductive nested type A{B). 
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6 Using Fusion? 

Roland Backhouse remarked that the central lemmaEI could be proven using the 
fusion theorem of pBv(lvdW96| . pp.76: 

Proposition 9 (Fusion) . Given a left adjoint functor F G C — >■ D and functors 
G G C — C and 77 G D — >■ D s.t. 



FoG-HoF 



then 

F{^i{G)) ^ t,(H) 

Using 

F G C ^ (C ^ C)°P 
F{X) = AY.X ^ Y 

we may obtain lemma 0 as a corollary (w.o. requiring that the functors involved 
are continuous or cocontinuous) if we can show that F has a right adjoint. This 
right adjoint can be written as 

F# G (C ^ C)°P ^ C 
F*{G) = G^XX.X 

This requires that there is an internal representation of G^XX.X which depends 
on impredicative quantification as present in the Calculus of Constructions. 

There is a very close connection between the construction sketched above 
and the Haskell programs (section ^ . The programs seem not to use impredica- 
tive quantification explicitly because this is hidden by polymorphic recursion. 
However, if we attempt to present e.g. appBT using categorical combinators (e.g. 
fold) there seems to be no way to avoid impredicative polymorphism (which 
also has the consequence that this cannot be encoded in the current Haskell 
type system). 

This also raises the question whether explaining polymorphic recursion which 
arises naturally when using nested types does in some natural cases require im- 
predicative polymorphism. The specific case considered here shows that impred- 
icativity can be avoided by using w-completeness properties. It may be the case 
that similar explanations can be found for all sensible applications of polymor- 
phic recursion. 

7 Further Work 

There is a certain asymmetry in our construction: we construct function types 
of regular (inductive) types using nested (coinductive) types. It seems natural to 
ask what happens if we look at nested inductive types in the domain. It seems 
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reasonable to look at functors definable in a simply typed language where type 
constructors like x or /x are just basic constants. The construction presented here 
can be generalized to this case (which we may call higher dimensional nested 
types). We plan to present details of this in a forthcoming paper. 

In the current form our result is not applicable to categories of constructive 
functions like w-Set. However, it seems likely that our result still holds when 
moving to an appropriate internal notion of limits and colimits. 

The categorical features used here, e.g. initial and terminal algebras but 
no function types can be syntactically encoded in a calculus which for obvious 
reasons does not deserve the name A-calculus. We believe that this calculus 
deserves further investigation because it represents the algorithms which can 
be defined using only algebraic types. It would be interesting to determine the 
precise proof-theoretic strength of this calculus which almost certainly exceeds 
that of first order arithmetic. 

References 

[Ada74] J. Adamek. Free algebras and automata realizations in the language 

of categories. Comment. Math. Univ. Carolinae, 15:589-602, 1974. 
[AR99] T. Altenkirch and B. Reus. Monadic presentations of lambda terms 

using generalized inductive types. In Computer Science Logic, 1999. 
[BBvGvdW96] R. Backhouse, R. Bijsterveld, R. van Geldrop, and J. van der Woude. 

Gategory theory as coherently constructive lattice theory, avail- 
able from http://www.cs.nott.ac.uk/~rcb/papers/papers.html, 
December 1996. Working Document. 

P. Blampied. Structured recursion for non-uniform data-types. PhD 
thesis. School of Computer Science and IT at the University of Not- 
tingham, UK, 2000. 

R. Bird and L. Meertens. Nested datatypes. In J. Jeuring, editor. 
Mathematics of Program Construction, number 1422 in LNCS, pages 
52 - 67. Springer Verlag, 1998. 

J. R. B. Cockett and D. Spencer. Strong categorical datatypes I. 
In R. A. G. Seely, editor. Proceedings Inti. Summer Category Theory 
Meeting, Montreal, Quebec, 23-30 June 1991, volume 13 of Canadian 
Mathematical Society Conf. Proceedings. American Mathematical So- 
ciety, 1992. 

R. Hinze. Generalizing generalized tries. Journal of Functional Pro- 
gramming, 2000. 

R. Hinze. Memo functions, polytypically! In Johan Jeuring, editor, 
Proceedings of the Second Workshop on Generic Programming, WGP 
2000, 2000 . 

G. Jones. Tabulation for type hackers. Available from 
ftp : //ftp. comlab . ox. ac.uk/, 1998. 

G. D. Plotkin and M. B. Smyth. The category-theoretic solution of 
recursive domain equations. SIAM Journal on Computing, 11, 1978. 



[BlaOO] 

[BM98] 

[CS92] 

[HinOOa] 

[HinOOb] 

[Jou98] 

[PS78] 




A Finitary Subsystem of the Polymorphic 

A- Calculus 



Thorsten Altenkirch^ and Thierry Coquand^ 

^ School of Computer Science and Information Technology 
University of Nottingham, UK 
txaScs . nott .ac.uk 
^ Department of Computing Science 
Chalmers University of Technology, Sweden coquandOcs . chalmers . se 



Abstract. We give a finitary normalisation proof for the restriction of 
system F where we quantify only over first-order type. As an applica- 
tion, the functions representable in this fragment are exactly the ones 
provably total in Peano Arithmetic. This is inspired by the reduction of 
JIi -comprehension to inductive definitions presented in ll'.M,h*l and this 
complements a result of | |Leiv| . The argument uses a finitary model of a 
fragment of the system AF2 considered in [Krivlbevvl . 



1 The Polymorphic A-Calculus 

We let D be the set of all untyped, maybe open, A-terms, with /3-conversion as 
equality. We let c„ be the lambda term XxXf /"■ x. We consider the following 
types 

T ::= a I T I (7Ta)T 

where in the quantification, T has to be built using only a and — >■ . We use 
T, U, V to denote over types. 

We use the notation Ti — >• T 2 — >■ T 3 for Ti — )> {T 2 — )> T 3 ) and similarly 
Ti —>■ T 2 T„ for Ti — >■ (T 2 —>■(...—>■ Tn)). 

Let us give some examples to illustrate the restriction on quantification. We 
can have T = {IIa)[a — >■ a] or {IIa)[a — >■ (a — >■ a) — >■ a] or even {IIa)[{{a —>■ 
a) — >■ a) — >■ a] but a type such as (77a)[[(7T/3)[a — >■ /3]] — >■ a] is not allowed. 

We have the following typing rules 



F'^x-.T 



x:TgF 



r,x:T^t:U F ^ u : V ->■ T F h v: V 
F^ Xxt:F ' F^uv.T 

Fht: {na)T F h t : T 
Fht: T{U) T h t : (i7a)T 



where T is a type context, i.e. an assignment of types to a finite set of variables, 
and in the last rule, a does not appear free in any type of F. We write T(U) for 
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a substitution where the variable which is substituted for is obvious form the 
context . 

We let N be the type {Ua)[a — >■ (a — >■ a) — >■ a]. We have h c„ : fV for each 
n. The goal of this note is to provide a finitary proof of the following result. 

Theorem 1. If\-t:N^N then for each n there exists m such that t Cn x f = 
X for X, f variables. 

This result can be seen as a special case of the normalisation property. We 
concentrate on this simplified case to illustrate the principle of our argument. 
From a proof theoretical view point this special case is as hard as the normali- 
sation property. 

This result follows from |Leiv| if in the formation of {IIa)T we restrict T to 
be of rank < 2. We extend this to cover types such as 

{Ua)[{{a — >■ a) — >■ a) — >■ a] 

One non finitary proof of this result is the following. Each type is interpreted 
by a subset of D. We define |T]p C D where p is a function assigning subsets of 
D to type variables. 

[t^u\p = {v^d\ (it e [Tip) V t e [c/]p} 

Hp = p{a) 

and 

[(77a)Tl = f| 

XCD 

We prove then, by induction on derivations 

Lemma 1. If x\ \ T\, ... ,Xn '■ Tn\- t \ T and Ui G |Ti] then t{u\, . . . ,w„) G |T] 



Corollary 1. If\~t:N then t G |iV] 



Lemma 2. If u £ |iV] then there exists m such that u x f = /"* x for x, f 
variables. 

Proof Consider the subset S' = {t | (3m) t = x}. We have x £ S and f t £ S 

if t £ S. Hence the result. 

We can now prove the theorem. If \- t : N ^ N we have then \- t Cn ■ N 
because \- Cn ■ N. But this implies, by the two lemmas that there exist m such 
that t Cn X f = /"* X. Let us write m = <p{n). We say then that the function f) 
is represented by the term t. 
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2 Second-Order Functional Arithmetic 

The proof above is not finitary, because of the use of intersection over all subsets, 
which requires, a priori, Tlj'^-comprehension. 

In some cases however, we can replace 7 T|-comprehension by arithmetical 
comprehension. For instance, if T is a — > (a — >■ a) — >■ a then we have 

Pi |T]a=x = {t € D \ ( 3 n)(yu, v€D)tuv = v^u} 

XCD 

Indeed, if t belongs to all |T]a=x then we can take x, y variables not free in 
t and take X to be the set of all terms of the form y" x. We have then t x y € X 
and hence t x y = y^ x for some n. Since a;, y does not occur free in t this implies 
t u V = u for all u,v £ D. Conversely if we have t u v = u for all u,v € D 
then it is direct to check that we have t G |T]q,=js: for all X CD. 

More generally if T is of rank < 2 then we can directly define |(i 7 a)r] by 
using arithmetical comprehension only. But this does not seem to extend simply 
to the general case. 

To analyze the proof in general, we first translate it in the language of second- 
order logic over D. We introduce the following logic AF2: we have two sorts, 
subsets and terms. We use X,Y, . . . for variables over subsets and x,y,. . . for 
variables over terms. The terms are elements of D. The formulae are 

A ::= t€X I A^Aj (Vx)A | (VX)A 

In forming (VAT) A, the formula A should be a first-order formula having at most 
X as a subset variable. 

A model of AF2 consists in an implicative algebra {H, — >■, A, and a valu- 

ation function |A]j^ G H where v assigns a function D ^ H to each predicate 
variable. We write as usual {v, X = f) for the update of v. The valuation function 
should be such that |(Va;)A],y is the greatest lower bound of all |A(d)]j, ior d G D 
and |(VX)A],y is the greatest lower bound of all |A](i,_x=/) ior f G D ^ H. No- 
tice, that we don’t require H to be complete. Furthermore, we should have 

\Ai — ^ ^2],^ = \Ai\i, — >• {A 2 \v 

and 

ltGX}, = v{X){t). 

To each type T we can associate a formula Ct{x) with one term variable 
X, by taking Ca = x G X^, Ct^u = (V?/)[C't(2/) -)> Cu{x y)] and C(^na)T = 
(VXq)C't(x). To each context F = xi : Ti, . . . ,x„ : T„ we associate the set of 
formulae Cr = C'ti(xi), . . . , CT„{xn) and we have 

Lemma 3 . If F t : T then A.4g(7^|A] < |CT(t)] in any model 0/ AF2. In 
particular if\~t:T we have |CT(t)] = 1 . 

Next we are going to build a model of AF2 in a finitary way. 

That is {H, A, 1) is a meet semilattice and we have x /\ y < z iti x < y ^ z. 
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3 A Finitary Model 



We consider now only first-order formulae 

A ::= tGX \A^A\ {'ix)A 



We define a first-order logic AFi on these formulae. We let L, M, . . . denote finite 
sets of formulae, and we write L,M for L U M and L, A for L U {A}. We have 
the rules 



L\- A 

L h A\ L, A 2 A 
L h A 



{A e L) 
{A\ — >■ A 2 G L) 



L, Ai h A 2 
L P Ai — y A2 



L, Ai{t) h A 

lVa 



((V:r)Ai G L) 



Lh A 
L h (Vx)A 



In the last rule, x should not occur free in L. 

We write L < M iS L h A for all A in M. It can be proved in a finitary way 
that this defines a poset, which we call So- We use this poset to give a finitary 
Kripke model of AF 2 . 

The subsets are interpreted as functions D — >■ Down(S'o) where Down(5'o) is 
the set of downward closed subsets of 5 'q. If A is a first-order formula we let [A] 
be {L G I T F A}, and if L is a finite set of formulae Ai, . . . , A„ we let [L] be 
[Ai] n . . . n [An]- If A is a variable we let Fx ■ D — >■ Down(S'o) be the function 
Fx{t) = [X t]- An assignment v associates functions D — >• Down(S'o) to subset 
variables. To any first order formula A we assign \-A\n G Down(S'o): 



ft G Xj„ = i^{X){t) |(Va;)A]i, = n„g_D|A(M)],, 

|Ai — >■ A2 ]i/ = {L g So I (VM G |Ai]j^)T, M G |A2],y} 
We let |Ai, . . . , A„] to be |Ai] n . . . n |A„]. 

Lemma 4. If L\- A in AFi we have C \A\n- 



Proof- Since AFi is intuitionistic, its derivations are valid in any Kripke model. 



Lemma 5. If A is a first-order formula then \A\n = [A] if i^{X) = Fx for X 
free in A. Also, |L]j^ = [L] if v{X) = Fx for X free in L- 

Proof By induction on A. This follows from the equalities 

[Ai — >■ A 2 ] = {T G I (VM G [Ai])L, M G [A 2 ]} 

and [(Vx)A] = riug_D[A('u)]. 
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Lemma 6. If A is a first-order formula with at most X as a subset variable 
then 

Pi {AIx=f e Down(5'o) 

F’GD^Down(So) 

ean be finitary deseribed as the set of all L € Sq such that L h A(Z) for Z not 
free in L. 

Proof. If L h A{Z) for Z not free in L then we have |L]jy C |A(Z)]jy for any 
interpretation by lemma E] If we take n{Z) = F and v{Y) = Fy for Y Z we 
get |L] = [L] and hence [L] C \A{Z)'\z=f so that L G for all F. 

Conversely, if L G for all F, then in particular L G |^]x=_Fz and so 

L G [A{Z)] that is L h A{Z) for Z not free in L, since |A]x=Fz = IA{Z)]z=Fz = 
[A{Z)] by lemmalSl 

By finitary, we mean here that the functions we consider in D ^ Down(5'o) 
if looked as relations on D x Sq, are only formed by using arithmetical compre- 
hension. 

Using lemma El we can build in a finitary way a model of AF 2 by taking 
H = Down(S'o) and 

1 = So, X AY = XnY, X^Y = {LgSq\MgX^L,MgY} 

By lemma 0 we have that, if h u : [/ then 1 = |C'[/(u)]. In particular, if 
\- t : N ^ N then 1 = |Civ(t Cn)l, and so 1 = F{t c„ x f) if we have 1 = F{x) 
and F{u) Q F(f u) for all u. In particular we can take 

F{u) = \J{L€So\u = r x} 

m£N 

and we have 1 = F(t Cn x f) which implies t x f = /"* x for some m. 

4 An Application 

We work now in SASq: second order arithmetic with arithmetical comprehension. 
It is known that this system is conservative over Peano Arithmetic f I roe] ■ It is 
possible to represent D and the poset So in SASq. The argument above however 
cannot be formalised as it is in SASq because of the lemma0 which requires the 
definition of semantics of formulae. 

We consider a fixed derivation of a typing judgement of the form h t : N —>■ N. 
In this derivation occurs only a finite set of quantified types Ti , . . . , and we 
consider the set SF of subformulae of CTi(ti), ■ . ■ , CT„{tn)- We let then be 
the subposet of which consists only of finite sets of such subformulae. 

Given any poset defined in SASq we can define |A]y for A G SF in SASq, 
see fTroe| . p. 37. 

Lemma 7. If M \- A with A G SF, XI C SF then \M\i^ C \A\y and this is 
provable in SASq. 
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We consider then the model H = Down(S'i) and 
l = 5'i, XAY = XnY, X^Y = {LgSi\MgX^L,MgY} 
for all X,Y CD. 

Corollary 2. If A is a first-order formula in SF with at most X as a subset 
variable then 

Pi lAjx^F € H 

F^D^H 

can be finitary described as the set of all L € Si such that L h A(Z) for Z not 
free in L, and this is provable in SASq- 

Theorem 2. If (f is represented by a term then cj) is provably total in Peano 
Arithmetic. 

Proof. Suppose that </> is represented by a term t. We have a derivation of h t : 
N ^ N. The previous results allow us to transform this derivation to a proof in 
SASo that |CAr](t c„) holds for all n. 

It follows from |Gladj that we can represent all functions provably total in 
Peano Arithmetic, using only the quantified type N = {IIa)[a — )> (a — )> a) — >■ a]. 
Indeed, shows that we can program the predecessor function, and indeed 

all primitive recursive functions, using only iteration. If follows from this that 
all functions of Godel’s system T can be programmed using only iteration. A 
more direct way of seeing this is that in Godel’s system T, it is possible to encode 
pairing of integers using the type N ^ N ^ N, and it is standard how to reduce 
primitive recursion to iteration and pairing. 

Theorem 3. The set of representable functions is exactly the set of functions 
provably total in Peano Arithmetic. 

5 Discussion and Further Work 

In an email to the second author, W. Buchholz suggests a simplification of the 
construction here, which avoids the detour through the logic AF 2 . He also sug- 
gests to show a more general result, i.e. that every term typable in the fragment 
described here /3-reduces to a normal form. Although we agree that his proof is 
very elegant, we believe that our presentation explains better how the standard 
infinitary construction can be turned into a finitary one in this special case. We 
hope to expand on the connections between the two approaches in further work. 

We are also interested to extend the construction presented here to full III 
comprehension. This would amount to showing a normalisation result for the 
fragment of System F where all il-types are closed using only iterated inductive 
definitions. For instance, the introduction of a type such as 



{IIa)[a -A {{N — >■ a) — >■ a) — >■ a] 
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will correspond to the use of a generalised inductive definition and the normali- 
sation will require IDi. We hope that this work sheds some light on the question 
at which point a predicativ^ normalisation proof of System F breaks down. 



Acknowledgments. We would like to thank W. Buchholz for his comments on 
this paper and for suggesting an alternative construction. We would also like to 
point out that this paper has been inspired by |BuchllBuch2| and to thank the 
anonymous referees for helpful comments on the paper. 
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Abstract. We present a type discipline for the rr-calculus which pre- 
cisely captures the notion of seqnential functional computation as a spe- 
cific class of name passing interactive behaviour. The typed calculus 
allows direct interpretation of both call-by-name and call-by-value se- 
quential functions. The precision of the representation is demonstrated 
by way of a fully abstract encoding of PCF. The result shows how a 
typed TT-calculus can be used as a descriptive tool for a significant class 
of programming languages without losing the latter’s semantic proper- 
ties. Close correspondence with games semantics and process-theoretic 
reasoning techniques are together used to establish full abstraction. 



1 Introduction 

This paper studies a type discipline for the 7r-calculus which precisely captures 
the notion of sequential functional computation. The precision of the represen- 
tation is demonstrated by way of a fully abstract encoding of PCF. Preceding 
studies have shown that while operational encodings of diverse programming lan- 
guage constructs into the 7r-calculus are possible, they are rarely fully abstract 
[ 28 , 32 ]: we necessarily lose information by such a translation. The translation of 
a source term M will generally result in a process containing more behaviour 
than M . Type disciplines for the 7r-calculus with significant properties such as 
linearity and deadlock-freedom have been studied before [ 9 , 16 , 21 , 22 , 29 , 30 , 37 ], 
but, to our knowledge, no previous typing system for the 7r-calculus has en- 
abled a fully abstract translation of functional sequentiality. The present work 
shows that a relatively simple typing system suffices for this purpose. Despite 
its simplicity, the calculus is general enough to give clean interpretations of both 
call-by-name and call-by- value sequentiality, offering a basic articulation of func- 
tional sequentiality without relying on particular evaluation strategies. The core 
idea of the typing system is that affineness and stateless replication ensure de- 
terministic computation. Sequentiality is guaranteed by controlling the number 
of threads through restricting the shape of processes. While the idea itself is 
simple, the result would offer a technical underpinning for the potential use of 
typed TT-calculi as meta-languages for programming language study: having fully 
abstract descriptions in this setting means ensuring the results obtained in the 
meta-language to be transferable, in principle, to object languages. In a later ex- 
position we wish to report how the proposed typed syntax can be a powerful tool 
for language analysis when coupled with process-theoretic reasoning techniques. 
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From the viewpoint of the semantic study of sequentiality [6,10,27], our work 
positions sequentiality as a sub-class of the general universe of name passing 
interactive behaviour. This characterisation allows us to delineate sequential- 
ity against the background of a broad computational universe which, among 
others, includes concurrency and non-determinism, offering a uniform basis on 
which various semantic findings can be integrated and extensions considered. A 
significant point in this context is the close connection between the presented 
calculus and game semantics [3,20,23]: the structure of interaction of typed pro- 
cesses (with respect to typed environments) precisely conforms to the intensional 
structures of games introduced in [23] and studied in e.g. [2,11,20,25,26]. It is 
notable that the type discipline itself does not mention basic notions in game se- 
mantics such as visibility, well-bracketing and innocence (although it does use a 
syntactic form of lO-alternation) : yet they are derivable as operational properties 
of typed processes. We use this correspondence combined with process-theoretic 
reasoning techniques to establish full abstraction. While we expect a direct be- 
havioural proof would be possible, the correspondence, in addition to facilitating 
the proof, offers deeper understanding of the present type discipline and game 
semantics. 

We briefly give comparisons with related work. Hyland and Ong [24] pre- 
sented a TT-calculus encoding of innocent strategies of their games and show op- 
erational correspondence with a 7r-calculus encoding of PCF. Fiore and Honda 
[1 1] propose another 7r-calculus encoding for call-by- value games [20] . Our work, 
while being built on these preceding studies, is novel in that it puts forward a 
general type discipline where typability ensures functional sequentiality. In com- 
parison with game semantics, our approach differs as it is based on a syntactic 
calculus representing a general notion of concurrent, communicating processes. 
In spite of the difference, our results do confirm some of the significant findings 
in game semantics, such as the equal status owned by call-by-name and call-by- 
value evaluation. From a different viewpoint, our work shows an effective way to 
apply game semantics to the study of basic typing systems for the 7r-calculus, in 
particular for the proof of full abstraction of encodings. Concerning the use of 
the TT-calculus as the target language for translations, [28] was the first to point 
out the difficulty of fully abstract embeddings of functional sequentiality and 
[32] showed that the same problems arise even with the higher-order 7r-calculus. 
While some preceding work studies the significance of replication and linearity 
of channels [9,16,22,29,31,34,37], none offers a fully abstract interpretation of 
functional sequentiality. 

In the remainder. Section 2 and 3 introduce the typed calculus. Section 4 
analyses operational structures of typed terms. Based on them Section 5 estab- 
lishes full abstraction. The technical details, including proofs omitted from the 
main sections of the paper, can be found in the full version [4]. 

Acknowledgements. We thank Makoto Hasegawa and Vasco Vasconcelos for 
their comments. The work of the first two authors is partially supported by 
EPSRC grant GR/N/37633. 
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2 Processes 

2.1 Syntax 

We use a variant of the tr-calculus as our base syntax. As in typed A-calculi, we 
start from the leanest untyped syntax. The following gives the reduction rule of 
the asynchronous version of the 7r-calculus, introduced in [8,18]: 

x{y).P\x{v) — ^ P{v/y} (1) 

Here y denotes a potentially empty vector | denotes parallel composition, 

x{y).P is input, and x{v) is asynchronous output. Operationally, this reduction 
represents the consumption of an asynchronous message by a receptor. The idea 
extends to a receptor ! x{y).P with recursion or replication: 

\x{y).P\x{v) — >\x{y).P\P{v/y}, (2) 

where the replicated process remains in the configuration after reduction. Types 
for processes prescribe usage of names [29,36]. To be able to do this with preci- 
sion, it is important to control dynamic sharing of names. For this purpose it is 
essential to distinguish free name passing and hound (private) name passing: the 
latter allows tight control of sharing and can control name usage in more strin- 
gent ways. In the present study, using bound name passing alone is sufficient. 
Further, to have tractable inference rules, it is vital to specify bound names 
associated with the concerned output. Thus, instead of {u y)(x{y)\P), we write 
x{y) P, and replace (1) by the following reduction rule. 

x{y).P\x{y)Q — ^ (uy){P\Q) (3) 

Here “x{y) Q” indicates that x{y) is an asynchronous output exporting y which 
are local to Q. The rule corresponding to (2) is given accordingly. To ensure 
asynchrony of outputs, we add the following rule to the standard closure rules 
for I and (i^x). 



P — > P' ^ x{y)P — ^ x{y)P' (4) 

Further, the following structural rules are added to allow inference of interaction 
under an output prefix. 

x{z) {P\Q) = {^z) P)\Q if fn(Q) n { 2 ;} = 0, (5) 

x{z){uy)P = {vy)x{z)P iiy^{x,z}. (6) 

By these rules we maintain the dynamics based on the original asynchronous 
calculus (up to the equation x{z) P = {u z){x{z)\P)), while enabling output 
actions to be typed with the same ease as input actions. Name-passing calculi 
using only bound name passing, called 7rl-calculi, have been studied in [7,33]. 

Another useful construct for typing is branching. Branching is similar to the 
“case” construct in typed A-calculi and can represent both base values such as 
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booleans or integers and conditionals. While binary branching has some merit, 
we use indexed branching because it simplifies the description of base value 
passing. The branching variant of the reduction (3) becomes: 



x[ki(zi{yi).P^] \ xinj{y^)Q — ^ (vyj){Pj\Q) (7) 



where we assume j G I, with I (yf 0) denoting a finite or countably infinite 
indexing set. Accordingly we define the rule for replicated branching. Branching 
constructs of this kind have been studied in tyco [35] and other calculi [12,15, 
17] (the corresponding type structure already appeared in Linear Logic [1,13]). 

Augmenting the original asynchronous syntax with bound output and 
branching, we now arrive at the following grammar. 



P ::= x{y).P input 

I x{y) P output 

I x[Szi^j{yJ.Pi] branching input 

I xini{z) P selection 



P I Q parallel 

{v x)P hiding 

0 inaction 

\P replication 



In \P we require P to be either a unary or branching input. The bound/free 
names/ variables are defined as usual and we assume the variable convention for 
bound names. The structural rules are standard except for the omission of !P = 
IP\P and the incorporation of (5) as well as (6) together with the corresponding 
rules for branching output. The reduction rules are as explained above, which 
also include variants of (3) and (7) for replicated branching inputs. 



2.2 Examples 

Henceforth we omit trailing zeros and null arguments and write x[&iPi] for 

x[kiQ.Pi\. 

def 

(i) |n]„ = ! M(a).ain„. Each time |n]„ is invoked, it replies by telling its number, 
n. Here a natural number becomes a stateless server. 

(ii) |succ]ij =^! M(ya).y(6) 6[&„ ain„_|_i]. IsuccJ^, describes the behaviour of a 
successor function, which queries for its argument, a natural number as in 
(i) above, and returns its increment. This is another stateless server but this 
time it asks its client for an input. 

(iii) \u{xa).x{zb) (|l]z | 6[&iaini]). This represents a type-2 functional Xx.xl : 
(Nat=^> Nat) ^ Nat. When the process is invoked, it queries for its argument 
(which is a function itself), that function then asks back for its own argument, 
to which |l]z replies. Finally the process receives, at b, an answer to its own 
question, based on which it answers to the initial question. 
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3 Typing 

3.1 Action Modes 

Functional computation is deterministic. There are two basic ways to realise 
this in interacting processes. One is to have (at most) one input and (at most) 
one output at a given channel (such a channel is called ajjine). Another is to 
have a unique stateless replicated input with zero or more dual outputs. These 
ideas have been studied in the past [13,15,16,21,22,31,34,37]. To capture them 
in typing, we use the following action modes, denoted p,q, . . 

!i Affine input ?i Affine output 

luj Replicated input Output to replicated input 

We also use T to denote the presence of both input and output at an affine 
channel. In the table above, the mode on the left and that on the right in the 
same row are dual to each other, denoted p (for example, !i = ?i). 

3.2 Channel Types 

Channel types indicate possible usage of channels. We use sorting [29] augmented 
with branching [1,13,15,17,35] and action modes. The grammar follows. 

a ::= (r, r) n ::= (t-)'i | (x)'- | [&ig/T*]’i] [&ig/T*]'“ 

T ::= Ti 1 To To ::= \ (r)'^“ | [©jg/ r^] 'i | [©jg/ Ti]’“ 

In the first line r denotes the dual of r, which is the result of dualising all action 
modes and exchanging © and &. A type of form (r, r) is called pair type, which 
we regard as a set. [&ig/...] corresponds to branching and [©^g/...] corresponds 

to selection. As an example of types, let Nat* [©isn]'^^ and Nat° (Nat*)'“. 
Then in !a(x).a;in„, x is used as Nat* while a is used as Nat°. 

A further idea in functional computation is asking a question and receiving 
a unique answer [3,23]. A type is sequential when for each subexpression: 

(i) In (x)’“, if T yf e then there is a unique ti of mode ?i, while each Tj 
{i yf j) is of mode 7,^. Dually for (r)’“. The same applies to [&ig/Ti]'‘^ and 
[ffiie/T*]^"- 

(ii) In (r)’b each n is of mode dually for (r)’^b The same applies to 
[&ig/Xj]'i and [©ig/Ti]’b 

As an example, (Nat°Nat*)*‘^ is a sequential type for |succ]„ in §2.2 (ii). 

3.3 Action Types and lO-Modes 

The sequents we use have the form F \-^ P > A. T is a base, i.e. a finite map 
from names to channel types, P is a process with type annotations on binding 
names, A is an action type, and <f> is an lO-mode. Intuitively, an action type 
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witnesses the real usage of channels in P with respect to their modes specified in 
r (thus controlling determinacy) ; an lO-mode ensures P contains at most one 
active thread (thus controlling sequentiality). Below in (i) we use a symmetric 
partial operator © on action modes generated from !i 0 ?i = _L, ?(^ 0 ?(^ = ?(^ 
and !(^ © = !(j. Thus, for example, is undefined. This partial algebra 

ensures that only one-one (resp. one-many) connection is possible at an affine 
(resp. replicated) channel. 

(i) An action type assigns action modes to names. Each assignment is written 
px. fn(A) denotes the set of names in A. A partial operator Aq B is defined 
iff p 0 <7 is defined whenever px £ A and qx G B; then we set A Q B = 
{A\B) U {B\A) U {(p 0 q)x \ px G A,qx G B}. We write Ai< B when Aq B 
is defined. The set of modes used in A is md(A). 

(ii) An lO-mode is one of {i, o}. We set 1 0 i = i and i0d = o0i = o. Note o 0 o 
is not defined. When <j)i 0 ^2 is defined we write <f>i x <f> 2 - 

In lO-modes, 0 indicates a unique active output (consider it as a thread): thus 
0:^0 shows that we do not want more than one thread in a process. 

3.4 Typing Rules 



(Zero) 

r Sequential 
r hi Ol>0 

(In'i) (C!v = 1A) 
r h X : (r)'i 
r-y irhoPMh'-" 

r hi x{y : t).P > a 0 !ix 
(ln'“) {Clv = 1^A) 

r G X ■. (r)'‘^ 

r-y ;rhoP>C'-" 



(Par) 

r Pi > Ai {i = 1, 2) 
Al X A 2 4>1 ^ (j)2 

P h0j©</>2 Pi\P2 > Al © A 2 

(Out’i) (C/y = Ax?ia:) 
rh a: : (r)'i 
r ■ y \ T Gj P > C 

P ho x{y : t)P > A 0 ?ia: 

(Our‘^) {Cly^A^t^x) 
r G X ■. (r)’" 
r - y : T hi PiXf 



(Res) 

P - x'. aG^P\>A®px 
P G {©,!,.,} 

P G^ {v x:a)P t> A 

(Weak-T) 

PGx: !i,?i 
PG^Po A~^ 

P G^ P > A (g) ±x 

(Weak-?,,) 
r h a; : ?„ 

PG^P> A~^ 



P Gi! x(y : t).P l> A (g !^x P Gq x(y : t)P l> A 0 ?i^x P G^ P\> Agl^x 



Fig. 1. Sequential Typing System 



The typing rules are given in Figure 1. The rules for branching/selection are 
defined similarly and left to Appendix A. The following notation is used: 
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lijjA A s.t. md(^) = {?tj} A~^ A s.t. x ^ fn(^) 

7 A ^ s.t. md(A) = {?tj, ?i} Ai^) B ^ U B s.t. fn(A) n fn(i?) = 0 

A/x ^\{p®} s.t. {a;} C fn(^) F ■ A F \J A s.t. fn(I^) fl fn(Z\) = 0 

r' h a; : r denotes x\t or x: (t,t) in F, while F \- x:p indicates F \- x : t such 
that the mode of t is p. Typed processes are often called sequential processes. 
The sequent F \-^ P> A is often abbreviated to F P. 

We briefly illustrate each typing rule. In (Zero), we start in i-mode since 
there is no active output. In (Par), “x” controls composability, ensuring that at 
most one thread is active in a given term. In (Res), we do not allow ?i, 7^^ or 
!i-channel to be restricted since these actions expect their dual actions exist in 
the environment (cf. [16,19,22]). (Itr”^) ensures that x occurs precisely once (by 
C~^) and no free input is suppressed under preflx (by Cjy = 7 A). (Out’i) also 
ensures an output at x occurs precisely once, but does not suppress the body 
by preflx since output is asynchronous (essentially the rule composes the output 
preflx and the body in parallel). (Weak-_L) allows assigning the same type after a 
pair of dual affine channels disappears following an interaction. This is essential 
for subject reduction. (In*‘^) is the same as (In'^) except no free ?i-channels are 
suppressed (note that if a ?i-channel is under replication then it can be used 
more than once). (Out"^") and (Weak-?,^) say ?i,j-channels occur zero or more 
times, and it does not suppress any actions. Finally, in (Out'll) and (Out’^“), the 
premise must have i-mode for otherwise we would end up with more than one 
thread. Note that, for input, we require the premise to be o-mode. This together 
ensures single-threadedness to be invariant under reduction, as we discuss later. 

3.5 Examples 

The following examples indicate how the present type discipline imposes strong 
constraints on term structure. 

(i) Given F = a: - 6 : (()’b 0'^^) ’ c:()’b we build sequential processes one by 

one, starting from inaction. (1) T hi 0 > 0, (2) T ho a > ?ia, and 

(3) F hi b.a [> ?ia G hb. Then we have: 

T ho 6 I 6.0 [> ?ia G T 6 with ?i 6 ©!i 6 =T 6 and o©i = o 

where “T 6 ” means name b is no longer composable. Note for any (f>, F 
b.a I b.c since 6 is affine. 

(ii) Given F = a: - 6 : (()'“, 0'^"), we have: 

— T ho o I Ib.a 0 7(^0 © luib with 7(^o © 7i^a = 7(^o and o © i = o; and 

- r ho \b.a I 6 > 7^a © l^b with 7J? © !^^6 = !;^ 6 . 

However, for any (jj, F a \ !b.a j 6 since □ © o is undefined. This example 
shows control by modes is essential even if 7i^-mode channel does not appear 
in parallel; we can check after one step interaction between !b.a and 6 , two 
messages to a will appear in parallel. 

(iii) For |n]„ in Example 2.2 (i), we have u:Nat° hi |n]„ (see § 3.2 for Nat°). 

(iv) For |succ]„ in Example 2.2 (ii), we can derive u: (Nat°Nat*)’‘^ hi |succ]u. 
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(v) For the process in Example 2.2 (iii), let r = ((Nat°Nat*)'^"Nat*)'‘^. Then we 
have u : T hi \u{xa).x{zh) (|l]z | 6[&igNain-i]) > \^u. 

(vi) A copy-cat [x — >■ yY '^\x{a) .y{b)b.a copies all behaviour starting at one 
channel to those starting at another. Let t = (()'^^)’‘^ and F = x:T-y:r. 
Then (1) F-a:{Y^-b:{)'^ hi 6.d>?ia(8)!i6, (2) F-a'-Qy'^ ho y{b)b.at>l ia®l ^^y, 
with (?io ® \\b)/b = ?io, and (3) T hi [x — >■ yY > Yx ® 

def 

Taking for example {u x){P\[x — >■ yY) with P = x(a)a.c, we can check that 
all actions of P are copied from x to y (this does not include c which is 
emitted by P). 

(vii) Let A = x: (t,t) -y : {t,t)-z: (t, t) and r = Then we have: 

~ connection of two links: T hi [x — >■ yY \ [y — >■ zY t> Yx 0 Yy ® "^uiZ with 
Yy ® = Yy- 

— links to a shared resource at z: T hi [x — >■ zY \ [y zY > Yx®\uiy®’^ ujZ 
with l^z ® l^z = l^z. 

However, for any (j) and environent, [x ^ zY \[x ^ yY which represents 
non-deterministic forwarding is untypable since !;jX © !;^x is undefined. 

(viii) Let p ([©iGN]^^)’“ and =*' {u xy){[x yY\[y 

x]^|x(a) a[&igNzini]). Then u : p bi\u{z).QP > Yu- Unlike |n]„, it returns 
nothing when asked, representing the undefined. 



3.6 Basic Syntactic Properties 

The type discipline satisfies the following standard properties. In (i) and (ii) 
below, the partial order < on bases is generated from set inclusion and the rule 
F < A F ■ X : T < A ■ X : The order on action types is simply set 

inclusion. In (iii) we let — = U( — >■)*. 

Proposition 1. (i) (weakening) If A < F and A\-^ P then F h^ P. 

(ii) (minimal type) A typable process has a minimum base and action type. Fur- 
ther, if F \-,p P and Z\ h,/, P then <j) = if- 

(iii) (subject reduction) // P h^ P and P — »■ Q then F h^ Q. 

We say an occurrence (subterm) in a process is an active input (resp. active 
output) if it is an input-prefixed (resp. output-prefixed) term which neither occurs 
under an input prefix nor has its subject bound by an output prefix. 

Proposition 2. (i) Let P h^ P > A © px such that p G {!(z,!i}- Then there is 
an active input with free subject x in P. 

(ii) Let F h^ P. (1) If <f = i there is no active output in P; (2) //</>=□ there 
is a unique active output in P; and (3) In both cases, two input processes 
never share the same name for their subjects, either bound or free. 

Corollary 1. (determinacy) // P h^ P and P — Qi {i = 1,2) then Qi = Q 2 
and (/) = □. 
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3.7 Contextual Equality 

Corollary 1 suggests non-deterministic state change (which plays a basic role in 
e.g. bisimilarity and testing/failure equivalence) may safely be ignored in typed 
equality, so that a Morris-like contextual equivalence suffices as a basic equality 
over processes. Let us say x is active when it is the free subject of an active 
input/output, e.g. x in {u w){x{y)P \ R) assuming x ^ w. We first define: 

C 1-0 P JJ-2, P 1-0 P — » P' with X active in P' and P \~tj, P > A (§i ?ix. 

Choosing only affine output as observables induces a strictly coarser (pre-)con- 
gruence than if we had also included non-affine output (?o;-actions are not con- 
sidered since, intuitively, they do not affect the environment). We can now define 
a typed equality. Below, a relation over sequential processes is typed if it relates 
only processes with identical base, action type and lO-mode. A relation =3= is 
a typed congruence when it is a typed equivalence closed under typed contexts 
and, moreover, it satisfies: if P > Z\ and Z\ 1-0 P = Q then P 1-0 P = Q. 

Defiuitiou 1. =5^^ is the maximum typed congruence on sequential processes 
such that: if P 1-0 P Q and P 1-0 P jj-a, then P 1-0 Q JJ-x- 

4 Analysis of Sequential Interactive Behaviour 

4.1 Preamble 

The purpose of the rest of the paper is to demonstrate that our typed processes 
precisely characterise the notion of functional sequentiality. By functional se- 
quentiality we mean the class of computational dynamics that is exhibited by, 
for example, call-by-name and call-by-value PCF. Concretely we show, via an 
interpretation u : a° \~i |Mi : «]„ that, for a PCF term \- Mi : a {i = 1,2), 
we have Mi = M2 iff m : o;° Fi |Mi : a]„ =seq IM2 : a]«. Here = is the stan- 
dard contextual equality on PCF-terms [14]. To this end we first introduce typed 
transitions to give a tractable account of processes interacting in typed contexts 
(the latter, like the former, must be input-output alternating). We then show 
that these transitions satisfy central properties of the intensional structures of 
games introduced in [23], namely visibility, bracketing and innocence. In partic- 
ular, by innocence, any sequential process is representable by the corresponding 
innocent function up to redundant r-actions. Further, the typed behaviour of a 
composite process P|(5 is completely determined by that of P and Q. Finally 
we show, d la game semantics, that any difference between typed processes in 
=seq can be detected by sequential “tester” processes whose graphs as innocent 
functions are finite. But finite processes in (the interpretation of) PCF types 
are in turn representable by PCF-terms up to =, leading to the completeness of 
the interpretation. Since soundness is easy by operational correspondence, this 
establishes full abstraction. In the following we illustrate key steps of reasoning 
to reach finite definability. 
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Note on terminology. In this section, correspondence with typed transition 
and intensional structures of games is a central topic. Since there is some dif- 
ference in terminology between process calculi and game semantics, we list the 
correspondence for reference. 

O’s Question (OQ) [ P’s Answer (PA) ] ?i 

P’s Question (PQ) ( O’s Answer (OA) ) !i 

Note that “O” is usually used to indicate “Opponent” in game semantics, which 
corresponds to input in our (process-algebraic) terminology. To avoid confusion, 
we shall consistently use “input” and “output” rather than “Opponent” and 
“Player” . 

4.2 Typed Transitions 

Let P '^lx{yz).y{c)c.z and Q x{yz){\y{c).^z.w). Then P\Q is well-typed, and 
we have: 

P\Q — {uyz){{P\y{c)c.z) \ {\y{c).c\z.w)) 

— ^ VZc){{P\c.z) I {c\z.w\\y{c).c)) 

— ^ (I'yzcjiiPlz) I {z.w\\y{c).c)) 

— ^ Wyzc){P I (uJ|!y(c).c)). 

This example suggests that input and output alternate in typed interaction. 
Indeed this is the only way sequential processes interact: if P does an output 
and Q does an input, then the derivatives of P and Q should now be in i-mode 
and o-mode, respectively. If they interact again, input and output are reversed. 
Typed transitions are built on this idea. 

First we generate untyped transitions P — ^ Q, with labels r, x{y), x{y), 
x±ni{y) and xlni^y) by the following rules. 

(In) x{y).P^-Hp (Out) x{z)p'^ P 

(Bra) x[kieI{y,).P^]"'^^^ P^ (Sel) x in,(^)P P 

The rules for replicated input are defined similarly. The contextual rules are stan- 
dard except for closure under asynchronous output (we omit the corresponding 
rule for branching). 

(OuT-^) P — S' P' with fn(Z) n {y} = 0 x(y) P — S x(y) P' 

To turn this into typed transitions, we first restrict the transitions of a pro- 
cess of mode o to only r-actions and outputs since (as discussed at the outset) 
the interacting party should always be in i-mode. Secondly, if a process has Px 
(resp. lujx) in its action type, then both input and output at x (resp. output at 
x) are excluded since, again, such actions can never be observed in a typed con- 
text. It is easy to check that sequential processes are closed under the restricted 
transition relation. The resulting typed transitions are written: 
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where y : t assigns names introduced in I as prescribed by F. Typed r-transitions 
coincide with untyped r-transitions, hence typing of transitions restricts only 
observability of actions, not computation. Basic properties of transitions follow. 

Proposition 3. (i) (lO-alternation) Let F \-^ P A \-^ Q. Then (1) 4> = if), 
and (2) li is input iff h is output and vice versa. 

(ii) (determinacy) If F \-^ P — ^ Z\ h.0 Qi (*=1)2) then Qi =„ Q 2 - 

(iii) (unique output) If F P Pi {i = 1,2) then l\ =„ l 2 - 

As an example of typed transitions, let r (Nat°Nat*)*‘^. Then, using the 

notation in Examples 2.2 (ii), we have: 

|succ]„ — M:T,y:Nat°,a:Nat* ho y(6) 6[&igNaini+i] | |succ]„ 

m: T, y : Nat°, a: Nat*, 6: Nat* hi oini+i] | |succ]u 

— i m: r, y : Nat°, a: Nat*, 6: Nat* ho ainj+i | |succ]„ 
m: T, y : Nat°, a: Nat*, 6: Nat* hi 0 | |succ]„ 



4.3 Visibility and Well-Bracketing 



Let us write T h^ P A \-^ Q if F \-fp P '^ > ^ > . . . > Z\ h^ Q 

with li T {0 < i < n) . For i < j, we write h r>b Ij (read: li binds Ij) when the 
subject of Ij is bound by k (e.g. x{y) r>b yinn)- Clearly, in typable processes, 
input only binds output and vice versa. r>b corresponds to justification of moves 
in games. Now we define the notion of views as follows. '~li...lff'° is defined first, 
with s,t, . . . ranging over sequences of labels. 



reuo ^ 0 

rg . = {n} U 

= {n} 

Fs^-k-S2-lrff° = {i,n}^^sff° 



In output 
In input, Vt.z n 
In input, i Ob n 



Input view, denoted is defined dually by exchanging os and is as well 

as input and output. We often confuse and with the corresponding 
sequences. We now define: 

Definition 2. (visibility) Let P h^ P A h.^ Q. Then s = li ■ ■ ■ is input- 
visible if whenever is input such that Ij Ob k, we have j € '~h - ■ ■ Iff^. Dually 
we define output-visibility. We say P h^ P is visible if whenever F \-j, P 
and s is input- visible then it is output-visible. 

The first key result follows. 

Proposition 4. P h,^ P is visible. 
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The proof proceeds by first establishing that it suffices to consider only well- 
knit traces where the only free input (if any) is an initial one. We then use 
induction on the typing rules to show that well-knit traces are visible. The only 
non-trivial cases are input prefixes and parallel composition. For input prefixes 
we use Proposition 3.2 (i). For parallel composition, we use composite transitions 
of r \-^ P\Q which record the transitions of P and Q contributing to the those 
of P\Q as a whole. Such transitions can be written in a matrix with four rows. 
For example, a composite transition of a sequential process (omitting types) 
!x(c).y(e).e[&jgNciiii+i] | \y{e).'z{e').e'[hi^^e±Tii] is given as follows, writing P 
and Q for the first and second components of parallel composition: 

P- visible : x(c) cin.3 

P-T : y{e) ein2 

Q-t : y{e) ein2 

Q-visible : ^(eO e'iii2 

If such a sequence is well-knit and input- visible in its observable part (i.e. the 
first and fourth rows), then it satisfies the switching condition [3,23], i.e. the 
action of P (resp. Q) moving from one row to another is always an output. To 
establish this we use lO-modes of derivatives and input-visibility. Then output 
visibility is immediate using standard game semantics technique [20,23,26]. 

Next, well-bracketing [3,23] says that later questions are always answered 
first, i.e. nesting of bracketing is always properly matched. Below, following the 
table in §4.1, we call actions of mode 1;^ and questions while actions of mode 
!i and ?i are answers. 

Definition 3. Let P \~^ P =4> Z\ Q be input- visible. Then s is well- 
bracketing if, whenever s' = sq ■ k ■ si ■ Ij for a prefix s' of s is such that (1) 
li is a question and (2) Ij is an answer free in si • Ij, we have h Ij- 

S I 

Now we say P \~^ P is well-bracketing if whenever P P =^, s is well- 
bracketing and I is output, then si is well-bracketing. Then we have: 

Proposition 5. P P is well-bracketing. 

The proof uses induction on typing rules, noting that it suffices to consider well- 
knit sequences. The non-trivial cases are input by and parallel composition. 
The former holds because a l^^-prefix does not suppress a free output with action 
mode ?i, while the latter follows from the switching condition [20,23,26]. 

Definition 4. (legal trace) Let P P Then s is legal if it is both input- 
visible and well-bracketing. 

4.4 Innocence 

Innocence [23] says that a process does the same action whenever it is in the 
same “context”, i.e. in the same output- view. To establish innocence of traces of 
typed processes we begin with the following lemma, proved by analysis of possible 
redexes relying on the shape of the syntax imposed by the type discipline. 
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Lemma 1. (permutation) Let F Li P A \~i Q such that l\ if\b h and 

k -Ab h- Then T hj P Z\ hj Q. 

By the above lemma and visibility, we can transform any transition of form 
P 1-0 P =^, with I output, to P 1-0 P AA where t = Since an output is 
always unique (cf. Proposition 2 (ii)), we can now conclude: 

Proposition 6. (innocence) Let F \-^ P {i = 1,2) such that: (1) both 
sequences are legal; (2) both k and k are output; and (3) =a Then 

we have • k =a '~S 2 ~'° • k- 

Note that contingency completeness in [23] corresponds to the property that any 
legal trace ending in an output has a legal extension ending with an input, which 
is immediate by Proposition 3.2 (i) and typability of transitions. Therefore, up 
to redundant r-actions, a sequential process is precisely characterised by the 
function mapping a set of output views to next actions. This is the innocent 
function representation of a sequential process. 

It is now easy to see that well-knit legal traces of P 1-0 P1IP2 are uniquely 
determined by those of P Pt (z = 1, 2) in the same way that innocent 
strategies are composed in the appropriate category of games [23]. 

4.5 Factoring Observables 

An important property of =seq is that any violation of =5^, can be detected by a 
tester process which is finite in the sense that the cardinality of the graph of its 
induced innocent function is finite. In particular, for our full abstraction result, 
we need finite processes which are type-wise translatable to (the interpretation 
of) PCF terms. To this end, we first show that the congruence =5^, can be 
obtained by only closing terms under j, given an appropriate base {Context 
Lemma, cf. [27]). Then we use the following result to unfold replication. 

Proposition 7. (open replication) Assume P h.0 Pi j P2 ] P where R is a repli- 
cation with subject x. Then F \~-ip Pi \ P 2 \ R =seq (Pi ] R) \ {v x){P 2 \ R). 

The proof of Proposition 7 uses a bisimulation induced by the typed transition 
(which stays within =). We can then establish the following proposition where 
F denotes the result of dualising each type occurring in P. 

Proposition 8. (finite testability) Assume P bi Pi > ?(^z/i 0 • • • 

{i = 1,2) such that fn(P) = {y,z}. Then F hi Pi P2 ijf there exist finite 
F hi Rj t> kyj (1 < j < n) and a finite F ■ x: Nat* hg P t> 0 ?ia: such that 
{ILjRj\Pi\S) ijx and {LIjRj\P 2 \S) or its symmetric case. 

Towards the proof, we first take, by the Context Lemma mentioned above, a 
tester of form F ■ x : Nat* h T' which, when composed with Pi, gives different 
observables. We then make, using Proposition 7, all shared replicated processes 
private to their “clients”. This gives processes R{ and S' which have the same 
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(Type) 


Nat* = [©ieN]'i 


[ai..an-iNat]° 


del /— 5- - 


(Base) 


0° 0 


{E-x:a)° 


E° ■ x:a° 


(Terms) 


Below we set /? 


= [ai..an_iNat]. 





fx : a]„ = [m ^ *]“ 

|Aa:o : ao.M : ao=4>/3]u \ u{xoXi..x„-iz).{v u'){lMj„i \ Arg{u'xi...x„-iz)^) 

fMN : /3]„ \u{xi..x„-iz).{iyu'xo)HM : a=»/?|„/ | \N : aj^^o | Arg(rt'a;o...*„-i2)“^^) 
|n : Natju \u{z).zinn 

|succ(M) : Nat|„ ] u{z).{i> x){lMj^ \ zin„+i]) 

|pred(M) ; Nat|„ ] u{z).{i> x)(lMjj: \ ®(j/)y[&„gN ain„_i]) 

|ifzero M then N else L : fi\u 

\ u{xi..Xn-iz).{u m){\M'lra \ m{z') z' [&Zi{v u'){Pi I Arg(«'o;i..a;n-i2)'’)]) 

where Po [Y]„/ else Pi 

l^ix : a.M : a\u {um){[u ->• m]“° | \M : a|„ | [x m]“°) 

Arg(*y 2 )[“^^*l x{y’ z'){ni\y'i ^ y,]< \ [z' ^ 2 ]^) 

Fig. 2. Encoding of PCF 



types as Ri and S above. Finally, the shapes of types allow to consider processes 
i?i, Pi and S (to be precise by turning S to u{x).S) as strategies in games. We 
can now appeal to finite testability in games, cf. [23], from which, by retranslat- 
ing finite innocent strategies to finite processes, we conclude that finite testers 
suffice. Alternatively we can directly reason at the level of the 7r-calculus and 
its typed transitions, showing that any behaviour characterised by a finite inno- 
cent function (which is enough for testability) is realisable by (typable) syntactic 
processes [5,38]. 

5 Full Abstraction 

5.1 Interpretation 

We consider PCF with a single base type, Nat, without loss of generality. Let 
a ::= Nat j a=^/3. We write [ai..a„Nat] (n < 0) for oi ^ (...(a„ Nat)..). 

Now the syntax of PCF terms are given by: 

M ::= a: j Aa; : a.M j MN j n j succ(M) j pred(M) 
j ifzero M then N else L j fxx : a.M 

We omit operational semantics and the typing rules [14]. The mappings from 
PCF types and terms to 7r-types and terms, which are due to Hyland and Ong 
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[24], are given in Figure 2. Copy-cat processes are given by [x — >■ 
x[k,i{yj).x'±Ta.i{y ' — >• yijY'^] and for replicated types: [x — >■ 

\x[k,i{yj)-x' ±ni{y\)IIij[yY — >■ 2/ij]^- Copy-cats for unary types are special 
cases where the indexing sets are singletons. The interpretation of [ai..a„Nat] 
says a process, when asked for its value, asks back questions at types cti, ..,a„, 
receives the results to these questions, and finally returns a natural number as 
the answer to the initial question. 

5.2 Soundness 

This is by the standard computational adequacy [27], which is proved by both- 

way operational correspondence, cf. [28]. Below let where 

CJ is given in Example 3.5 (v). 

Theorem 1. (computational adequacy) M : Nat IJ, iff |M : Nat]„ . 

Corollary 2. (soundness) E \- M = N : a if E° ■ u: a° hj |M :«]„ =,,, 

5.3 Completeness 

Assume P is typed under (the interpretation of) a PCF-type and, moreover, it 
is finite, i.e. is representable by an innocent function. By [3,23] or by a direct 
syntactic transformation, P can be mapped into a so-called finite canonical- form, 
which in turn is easily transformed to a standard PCF term without changing 
meaning in its interpretation up to =seq. Thus we obtain: 

Theorem 2. (finite definability) Let E°-u:a° hi P>Yu be finite. Then E°-u: 
a° h |M :«]„ P for some M. 

This result indicates that, in essence, only sequential functional behaviour inhab- 
its each type. Now suppose h M\ = M 2 : a but u : Nat° hi |Mi]„ [A721 m- 

Then the latter’s difference is detectable by finite processes (Proposition 8). By 
Theorem 2 we can consider these finite testers as interpretations of PCF-terms 
so that we know, for example, |C[Mi] : Nat] JJ. and |C[M2] : Nat] i)-. But this 
means, by Theorem 1, C[Mi] : Nat IJ. and C[M2] : Nat fl-, contradicting our 
assumption. We have now reached the main result of the paper. 

Theorem 3. (full abstraction) E° -u:a° h |Mi : 0]^ =5jq IM 2 ■ a|« if and only 
if E ^ Ml ^ M 2 : a. 

By replacing =5,,^ and = with the corresponding precongruences, we similarly 
obtain inequational full abstraction. It is also notable that a fully abstract in- 
terpretation of call-by-value sequentiality is easily gotten by simply changing 
the interpretation of types. The following comes from [20]. (1) Nat* [©isn]"^^ 
and {A B)* {{A (2) (Nat ^ Bff [&igNi?*]’" and, when 

A Nat, {A Bff = {A^B*)'‘^. For example, Nat ^ Nat is interpreted as 
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where the function first signals itself, receives a natural 
number, then returns the result. Again the only inhabitants of A* are easily 
the encodings of call-by-value PCF terms, from which we obtain full abstrac- 
tion. The result also extends to recursive types [11]. Further, another change 
in interpretation of types allows us to fully abstractly capture the semantics of 
call- by-name PCF with observability at higher-order types. These results may 
suggest the power and flexibility of the present framework for the semantic anal- 
ysis of sequentiality. 
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A Typing Rules for Branching 



(Bra'i) (G/j/, = ?A) 
F X ■. 

r • y, : Ti ho Pi > Cr 



(Sel^i) {Ci/y, = A^7,x) 

F X : [©i 67 Ti ]-1 

P-y, :t. hiPoC 



P hi a;[&i6/(yi :Ti).Pi] > A®\ix P ho x±r^{y^ \ Ti)P\> A © ?ia; 
(Bra'“) and (Sel’^“) are similarly defined. 
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Abstract. Wc extend the modal logic of ambients described in |7| to the full ambient 
calculus, including name restriction. Wc introduce logical operators that can be used 
to make assertions about restricted names, and we study their properties. 

1 Introduction 

The TT-calculus notion of name restriction 1 12|, initially intended to represent hidden communi- 
cation channels, has been used also to represent hidden encryption keys |2| and as the basis for 
definitions of sccrccy [2, 4]. In the context of the ambient calculus [6], name rcstriclion can be 
used to represent hidden locations and (by extrapolating [4] and [5]) secret locations. In general, 
we would like to have process calculi where we can represent protocols for creating shared en- 
cryption keys and secret locations; name restriction seems crucial to all this. 

In Jt-calculus notation, (vn)P is a restriction of the name n in the process P, meaning that n 
is not currently known outside the scope of P. The prefix (vn) is more a bookkeeping device than 
a barrier. It is quite possible for P to communicate n to some external process; then the restriction 
(Vn) must be formally pushed outwards to encompass the new scope of n and maintain the scop- 
ing invariant; this procedure is called name extrusion. Processes arc considered equivalent up to 
extrusion; that is, extrusion is not regarded as a computational step. Conversely, when a name is 
forgotten in part of a process, the scope of (vn) may be restricted; this is called name intrusion. 
Manipulation of (Vn) prefixes includes, in particular, renaming and swapping of prefixes, so that 
there is no obvious way of talking about “the first restricted name” or any particular' restricted 
name of a process. 

The ambient calculus can be regarded essentially as an extension of the ti-calculus with dy- 
namic location structures. In [7] wc present a modal logic for describing properties of ambient 
calculus processes, with particular emphasis on expressing the structure and evolution of hierar- 
chies of locations. Much of that logic can be applied directly to the Ti-calculus. However, in |7| 
we left out name restriction; we now intend to fill that gap in a way that can be applied both to 
the 7i-calculus, where names arc channels, and to the ambient calculus, where names arc loca- 
tions. In both cases, we need to investigate the logical properties of name restriction. 

In our existing logic we can describe detailed properties of processes. If we now consider 
restriction, what docs it mean to describe properties of restricted names? Wc would like to be able 
to say, for example, “a shared key is established between locations a and b”, or “a secret location 
is created that only a and b can access”. In a protocol that establishes such shared secrets, the se- 
crets arc typically represented by restricted names. The problem is that there is no obvious way 
to talk about such restricted names in the specification of the protocol. Wc might be tempted to 
use ordinary existential quantification, and say “there exists a name shared between locations a 
and h”. But this is not good enough, because we want that name to be fresh and unknown to other 
locations or potential attackers. 

Therefore, wc want a new form of quantification that can be read as “in the process there 
exists a restricted name which we shall call x, and such that S?’, where r is a variable that ranges 
over names, and S? is some property that may involve x. Let us indicate this quantifier as (vx)S?; 
this formula is meant to correspond somehow to a process of the form (vn)P where x denotes n. 
However, since (vn) can float, the matching of (vx) to any particular (vn) is not obvious. 

This means that the logical rules of our tentative (vx)S? quantifier are going to be fairly com- 
plex, or at least unfamiliar. We have approached this complexity by splitting (vx)S? into two op- 
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erators; one for quantifying over fresh names, and one for mentioning restricted names. The first 
operator is the Gabbay-Pitts quantifier, Mx.S?, adapted to our context: it quantifies over all names 
that do not occur free cither in the formula S? or in the described process. The second is a binary 
operator (not a quantifier) called revelation, n®S^, which means that it is possible to reveal a re- 
stricted name as the given name n, and then assert S?. (Revelation fails to hold if it would lead to 
a name clash in the process.) 

We investigate the properties of «®S? and \Ax.9l separately. We combine them to define 
(vjc)S? as \Ax.x®S^, and then we study the derived properties of (vjc)S?. 

2 Summary of the Ambient Logic 

In this section, we provide a quick summary of the ambient calculus. Although this summary is 
technically self-contained, we assume some knowledge of [6]: see that paper for discussion and 
motivation. We also summarize the ambient logic studied in |7|. Again, this is self-contained, but 
knowledge of that paper will help. Two new operators, revelation and its adjunct hiding, are in- 
troduced here, and arc discussed in the following sections. 

2.1 The Calculus 

The syntax of the ambient calculus is defined in the following table: 



Processes 


' P,Q,R 


processes 


M::= 


1 

capabilities 


(vn)P 


restriction 


n 


name 


0 


void 


iiiM 


can enter into M 


P\Q 


composition 


outM 


can exit out of M 


\P 


replication 


openM 


can open M 


M\P] 


ambient 


e 


null 


M.P 


capability action 


M.M’ 


path 


(n).P 


input action 






m 

1 


output action 




1 



The set of free names of a process P, written^(P) is defined as usual, where the only binders 
are restriction and the input action, so that/n((vw)P) =fn({n).P) =fn(P) - [n]. 

We write P{n<— M} for the substitution of the capability M for each free occurrence of the 
name n in the process P. Similarly forMjn-t— M’}. We identify processes up to renaming of bound 
names; that is, we assume, for m ^fn{P), that (v«)P = {vin)P{n<—nt} and (n).P = {m).P{n<—m}. 

We use some syntactic conventions. We use parentheses for precedence. The process 0 is 
often omitted in the contexts n[0] and M.O, yielding n[] and M. Composition has the weakest bind- 
ing power, so that the expression (vn)P I Q is read ((vn)P) I Q, the expression !P I g is read (!P) 

I Q, the expression M.P I Q is read (M.P) I Q, and the expression (n).P I Q is read {(n).P) I Q. 

Structural congruence is a relation between processes used as an aid in the definition of re- 
duction. With respect to [6], the structural rules for replication have been refined. 

The reduction relation describes the dynamic behavior of ambients. In particular, the rules 
(Red In), (Red Out) and (Red Open) represent mobility, while (Red Comm) represents local com- 
munication (sec [6] for an extended discussion). For example, the process a[p[outa. in b. (m)]] I 
b[open p. (n). «[]] represents a packet p that travels out of host a and into host b, where it is 
opened, and its contents m are read and used to create a new ambient. The process reduces in four 
steps (illustrating each of the four reduction rules) to the residual process a| | I b\m\\\. 
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Structural Congruence 



1 

p = p 




(Stmet Refl) 


(vn)(vm)P = (vm)(vn)P 


1 

(Struct Res Res) 


P=Q ^ Q = P 


(Stmet Synrm) 


(vn)0 = 0 


(Struct Res Zero) 


P=Q,Q-= 


= R ^ P = R 


(Stmet Trans) 


(vn)(P \Q) = P\ {yn)Q if nifn(P) (Struct Res Par) 


P=Q ^ 


III 

s 


(Stmet Res) 


(vn)(m[Pj) = mL(vn)RJ if n^m 


(Struct Res Amb) 


P=Q ^ 


P\R = Q\R 


(Stmet Par) 


P\0 = P 


(Struct Par Zero) 


P=Q ^ 


\P = \Q 


(Stmet Repl) 


P\Q = Q\P 


(Struct Par Comm) 


P=Q^ 


n\P\=n\Q\ 


(Stmet Amb) 


{P\Q)\R = P\(Q\R) 


(Struct Par Assoc) 


P=Q ^ 
P=Q ^ 


M.P = M.Q 
(n).P = (n).Q 


(Stmet Aetion) 
(Stmet Input) 


\0 = 0 


(Struct Repl Zero) 


\{P 1 0 = !P 1 !fi 


(Struct Repl Par) 


e.P = P 




(Stmet e) 


!P = P 1 !P 


(Struct Repl Copy) 


(MM’).P : 
1 


= M.M'.P 


(Stmet .) 


\P= UP 


(Struct Repl Repl) 
1 



Reduction 



1 

«|w m. P 1 Q| 1 m|P| — » m|n|P 1 2| 1 P| 


1 

(Red In) 


m[n[out m. P 1 Q] 1 P] — » n[P 1 Q\ 1 m[P] 


(Red Out) 


open n. P 1 n[Q\ — » P 1 2 


(Red Open) 


(n).P \ (M) ^ P{n<^M} 


(Red Comm) 


P^Q => (vn)P — » (vn)Q 


(Red Res) 


P^Q ^ P\R^Q\R 


(Red Par) 


P—*Q^ rt|P|— »niei 


(Red Amb) 


p’ = p,p-»2,e^e' ^ p’^Q’ 


(Red =) 


1 


reflexive and transitive closure of — » 
1 



2.2 The Logic 

The syntax of logical formulas is summarized below. This is a modal predicate logic with classi- 
cal negation. As usual, many standard connectives arc intcrdcfinablc; we take T, v, O, V as 
primitive, and F, a, □, 3 as derived. 



Logical Formulas 



1 


a name n or a variable x 




1 


S?,‘3,C::= 


formulas 


r|[S^ 


location 


T 


true 


S?@r| 


location adjunct 


-m 


negation 


r|®S? 


revelation 


Wv S3 


disjunction 


S?(St| 


revelation adjunct 


0 


void 


09i 


sometime modality 


S?l “9 


composition 




somewhere modality 


1 


composition adjunct 


Vx.S? 


universal quantification 
1 



The meaning of the formulas will be given shortly in terms of a satisfaction relation. Infor- 
mally, the first three formulas (true, negation, disjunction) give propositional logic. The next five 
(void, composition and its adjunct, location and its adjunct) describe tree-like structures of loca- 
tions. Revelation and its adjunct arc new to this paper, and arc discussed in detail later. The two 
spatial and temporal modalities make assertions about states that may happen “further away” in 
space or time respectively. Quantified variables range only over names: these variables may ap- 
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pear in the location and revelation constructs, and their adjuncts. 

The collections of free names, /n(S5), and free variables, /v(S5), of a formula S? are defined 
along standard lines, keeping in mind that there arc no name-binding constructs and just one vari- 
able-binding construct (VxS?). 

A formula S?is closed if/v(S?) = 0. Substitution S?{t|<— p) of a name or variable p for another 
name or variable ti in a formula S?, is defined in the usual way. We identify formulas up to renam- 
ing of bound variables, that is, we assume the identily Vx.S?= Vy.S?{x<— y), where y ifv(9l). We 
often write ti[] for ti[ 0], for S?1>F, and 9T for -iS?. 

2.3 Satisfaction 

The satisfaction relation P 1= S? means that the process P satisfies the closed formula S?. The def- 
inition of satisfaction is based heavily on the structural congruence relation. The satisfaction re- 
lation is defined inductively in the following tables, where II is the sort of processes, <I> is the sort 
of formulas, is the sort of variables, and A is the sort of names. We use similar syntax for logical 
connectives at the mcla-lcvel and object-level, but this is unambiguous. 

The meaning of the temporal modality is given by reductions in the operational semantics of 
the ambient calculus. For the spatial modality, we need the following definitions. The relation 
P 1 P ’ indicates that P contains P ’ within exactly one level of nesting. Then, P i *P ’ is the reflexive 
and transitive closure of the previous relation, indicating that P contains P’ at some nesting level. 
Note that P’ constitutes the entire contents of an enclosed ambient. 

pIP’ iff 3n,P”. P = n[P’]IP” 

i’* is the reflexive and transitive closure of \ 



Satisfaction 



1 

VPen, 


PI=T 




VPen,S?e*. 


PI=mS? 


A -,Pt=S? 


VPen,S?,‘3e<F. 


PI=S?v‘3 


A PLS^vPL'S 


VPen. 


Pl=0 


A P = 0 


VPen, S?,‘3e<l>. 


PI=S?I « 


A 3P’,P”en. P = P’IP” aP’I=S?aP”I=‘3 


VPen,S?,‘3e$. 


PI=S?>‘3 


A VP’en.P’t=S?^PIP’l=‘B 


VPen, neA, S?e4>. 


PI=n[S?| 


A 3P’en. P = /i[P’] aP’LS? 


VPen,S?e4>. 


PI=S?@n 


A n|P|l=S? 


VPen, neA, SSe<t>. 


PI=n®S? 


A 3P’en. P = (vrt)P’AP’l=S? 


VPen,S?e*. 


PI=S?Qn 


A (vn)P 1= S? 


VPen,S?e<l>. 


PLOS? 


A 3P’en. P^*P’ aP'LS? 


VPen,S?e$. 


Pl=<-S? 


A 3P’en. pI*P’aP’I=S? 


\/PeU,xe^, 

1 


P 1= Vx.S? 


A VmeA. P l=S?{x<— m} 



Again, all these logical connectives are described and discussed in |7|, except for revelation 
and its adjunct, which arc the subject of Section 3. 

Remark: Given our policy of identifying formulas up to the renaming of bound variables, we 
need to check that satisfaction is well defined with respect to the equation VxS? = Vy.SS'jx^— y}, 
where y We need to show for all processes P, formulas S?, and variables x andy such that 

y i that P 1= Vx.S? if and only if P 1= Vy.S?{x<— y } . By definition, P 1= Vy.S?{x<— y } if and only 
if VmeA. P 1= S?{x<— y}{y<— m). Since y ^/v(S5), we have S?{x<— y}{y<— m} = S?{x«— m). There- 
fore, P 1= Vy.SS'jx^— y ) if and only if VmeA. P 1= S?{x«— m) This is the definition of satisfaction for 
Vx.S?. So it follows that y ^ Jv{SS) implies that P 1= Vx.S? if and only if P 1= Vy.S?{x<— y). □ 
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Fundamental Lemmas 

The following lemmas are crucial in whal follows. 

2-1 Lemma (Satisfaction is up to s) 

(P\=^aP = P’)^P’\=^ □ 

2-2 Lemmas (Inversion) 

(1) P=Q => fniP)=MQ) 

(2) {vn)P = 0 ^ P = 0 

(3) (vn)P = m[Q] => BPell. P = m[R] aQ = (vn)R (for n^m) 

(4) (vn)P = Q’\Q” ^ 3R’,R’’tU.P = R’\R” AQ’ = (vn)R’AQ” = ivn)R’’ □ 

Remark. It is not true that {vn)P = (vn)Q implies P = Q. Take P = «|| and Q = (vn)«|]; then 
(vn)n| I = (vn)(vn)rt| | but n| | ^ (vn)n| |. □ 

2-3 Lemma (Fresh renaming preserves 1=) 

For all closed formulas 91. processes P, and names m, m\ 
ifm’^/n(P)u/w(S^thenPl=S?«-P{m'^m’) □ 

The proof of Lemma 2-1 is an induction on the structure ofS?. See |8| for Lemmas 2-2. The 
proof of Lemma 2-3 is by induction on the number of symbols in the closed formula S?, which is 
unchanged by substituting a name for a variable or another name; this proof is an extension of the 
analogous one from [7] with cases for revelation and hiding. It is common for semantic properties 
of the 7t-calculus and its descendants to be preserved by fresh renaming; an early example is a 
fresh renaming lemma for strong bisimulation in the original article on the Jt-calculus 1 1 3, 9|. 

2.4 Validity 

Valid Formulas, Sequents, and Rules 

A closed formula is valid when it is satisfied by all processes. A general formula is valid when it 
is valid under any closed instantiation of its free variables with names. 

More precisely, if fv{9l)={xi, ...,Xk} are the free variables of S? and (pei5^A is a substitution 
of names for variables such that dom((p)^fv(S^, then we write S?(p for S?{xi<— (p(xi), ..., (p(x*) } , 

and we define: 

Valid Formulas 

vW(S?)(p = VPell. PI=S?(p for (pe-d^A with dom((p) 3 /V(S?) 
vld(Sff) = V 9 e/v(S?)^A. v/rf(S^ip 

I I 

We use validity for interpreting logical inference rules, as described in the following tables. 
We use a linearized notation for inference rules, where the usual horizontal bar separating ante- 
cedents from consequents is written ‘ !■’ in-line, and is used to separate antecedents. 

Sequents arc interpreted as follows. A simple sequent S?h ‘B is interpreted as the validity of 
the formula Sfc>‘3. Sequents with conditions about disjointness of variables, or disjointness of 
variables from names, are reduced to simple sequents, as described below. Equality of names ti=|j, 
is definable in the logic as r|[T] @p [7]. 

Sequents 

' 4 vld{9hiPB) ' 

S?l-^ (tliitpj, A A... 

S?HF‘3(E) = (S?l- *3 (E)) A (“3 1- S? (E)) where E = Tiii^pi, 

I I 

For example: S?F ^ means V9e/v(Sfe’‘3)— >A. VPell. P 1= S?<p ^ P 1= Otp. 

Logical rules are interpreted as follows, where c5 are sequents (any of the three forms above. 
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including sequents with side conditions and double sequents); 

Rules 

c5i; c5„ f- c5o = (c5i a ... a c 5„) => c5o 

c5iUc 52 ^ c5i ^c52 a c52^c5i 

I I 

The definition of validity for formulas with free variables allows us to handle quantification 
over names. We obtain the validity of the following standard rules for the universal quantifier, 
and for the definable existential quantifier: 



Quantification 



(VL) 


S?{x<— T| ) h “3 (■ VxS? 1- “3 


1 

where r| is a name or a variable 


(VR) 


S?l- “3 ^ S?h Vx‘3 


where x ^ fv{SH) 


(3L) 


S?l-^ f- 3xS?l-^ 


where x (( /v(^) 


OR) 

1 


S?l- ‘3{x<— T| } (■S?l-3x‘3 


where r| is a name or a variable 

1 



Remark: (V R). The distinction between variables and names in formulas, and the use of vari- 
ables (as opposed to names) in quantification is cmcial for (V R). The version of (V R) with names 
instead of variables: 

S?h *3 (■ S?h Vn.'B where n i. fn(SS), 

is not sound. Consider the valid sequent m|T| I — ^n|T|. If quantification binders were names, then 
the rule (V R) could be used to produce m|T| h Vn.— iw|T|, which is not valid. Since quantification 
binders are variables, one can only deduce m[T] I- Vx-in[T]. □ 

Remark: (V L). The use of substitutions that admit variables, in addition to names, in (V L), is 
cmcial. Otherwise, if (V L) is formulated as m) h “3 I" VxS?l- fB, there does not seem to 
be any way to derive, for example: 

S?h‘3 (■ VxS?hVx‘3 

which is obtained by starting fromS?{x<— x} I- '3 and applying (V L) and then (V R). □ 

A number of proof principles can be derived from the definition of validity: 

Instantiation Principle. Let c5 be a one-directional sequent, then, for any x,n: 

(Inst) cJl'cSlX't— «} 

Substitution Principle. Let ‘3{-) be a formula with a set of formula holes, indicated by -, and let 
“BlS?) denote the formula obtained by filling those holes with S?, after renaming the bound vari- 
ables of (3 so they do not capture free variables of S?. 

(Subsl) S?'HI-S9 I- ‘3{S?'} hi- ‘3{S? } 

Case Analysis Principle. A case analysis principle is useful for proofs involving equality and in- 
equality; inequalities often occur as side-conditions of primitive and derived mles. A predicate S? 
is ctoM'ica/iff V(peyV(S3)— >A. {P[|P!=S?<p} e {LI,0}. Note that T,F,andr|=p arc classical pred- 
icates; so is S^, for any S? (meaning thatS?is unsatisfiable), and so is the conjunction, disjunction, 
and negation of classical predicates. Let c5{-} be a one-directional sequent with a set of formula 
holes, and S? be a classical predicate. Then: 

(Case Analysis) c5{T);c5{F) (• d{S?) 

3 Revelation 

We now study the logical connectives t|®S? {revelation), and S9®r| {revelation adjunct or hid- 
ing). These connectives make assertions about restricted names that occur in processes. 








VPell. P 1= ©w 
VPell. P 1= closed 
VPell. P 1= separate 
VPell. P 1= atmostfree n 

I 

Examples: 

n[] 1= ©n because -iBP’ell. n[] = (yn)P’ 

(vm)m| 1 1= closed because Vne A. (vm)m| | = (yn)(ym)m \ | 

«| I I m| I I (vp)(p| I I p| I) 1= separate 



iff -iBP’ell. P = (v«)P’ iff nefn(P) 

iff VneA. 3P’en. P = (vw)P’ iff /n(P) = 0 

iff -iBneA. 3P’,P”ell. P = P’ I P” a nefniP’) a nefniP”) 
iff VmeA. 3P’ell. (vn)P = (yrri)P’ iff fn(P) c {«} 



3.2 Rules 

Before giving our set of primitive rules of revelation and hiding, we discuss the most interesting 
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properties of ® and Q that are derived in this section. In order to emphasize some symmetries, 
we use here a combination of primitive and derived rules. 

First, the cancellation and swapping properties of double restriction, (vn)(Vn)P = {Vti)P and 
{vn){vm)P = ivm)(vn)P, arc inherited by both ® and O: 

«®«®S? HI- n®S? n®m®S^ F m®n®9l 

S9QnOn HI- S?On ^QmQn \- ?IQnQm 

Next, consider the combinations; 

rt®(S?On) fn®S?)On 

We sec easily that P 1= n® (S?On) means that P 1= S? and that /i)yh(P), where nfLjh(P) can be written 
also as P 1= n®T. Instead, P 1= (w®S9)Q« means that, although P may not satisfy S?, if we hide n 
in P we obtain something where we can reveal n and satisfy S?. For example, (vm)n|m||| 1?^ 
m®m[n[]], but (vm)n[m[]] 1= (n®m®m[n[]])®n, because (vn)(vm)n[m[]] = (vn)(vm)m[n[]] t= 
n®m®m\n[ 1 1. In other words, P 1= (n®S^Qn means that we can satisfy S?by hiding the name n 
of P, and revealing a possibly different restricted name of P as n. We obtain the properties; 

n®(S?®n) Hh S? A n®T 

n®(S?0/i) I- S? S?l- (n®S^Gn 

n®(9lQn) 9lQn ?lQn (n®9l)Qn 

n®(S?0/i) I- n®S? n®S?l- (n®S?)Q/i 

The interactions of ® and O with I are the most interesting, and the most complex. There are 
basically three distribution rules; distribution of ® over I in both directions (with a constraint), 
unrestricted distribution of Q over I in one direction, and distribution of n®((-)Qn) over I in both 
directions. 



n®(S?l n®‘3) Hh n®S?l n®‘3 

(S?l ‘3)<Sn I- S?Qn I “BOn 

n®((S9'l ‘3)<Sn) HF n®(S?On) I n®(‘3<Sn) 

The first rule embodies the scope extrusion rule, (vn)(P I Q) = ((vn)P) I Q if ni.fn(Q). This 
can be seen more clearly if we note that nfLfn(Q) is equivalent to 2 = (vn)Q; then the extrusion 
rule can be written as (vn)(P I (vn)Q) = ((vn)P) I ((vn)Q) with no side condition. 

The second rule implies that if (vn)(P I 2) 1= S? I “9 then it is possible to distribute the restric- 
tion so that (Vrt)P 1= S? and (vn)Q 1= “3; this is a consequence of Lemma 2-2(4). 

The last rule looks mysterious, but has a simple interpretation. According to one of the 
equivalences above, it can be rewritten as (S?l *3) a m®T HF (S?a n®T) I (“3 a n®T); that is, the 
name n does not occur in a parallel composition iff it does not occur in either component. The 
right-to-left direction is actually a derivable rule. 

A similar set of rules holds for distribution of ® and ® over n[-]; 



n®m[S?| HF m[n®S?| 


(n rri) 


m[S?|On HF m[S?®n] 


(n m) 


«|S?|On HF F 




n®(m[S?]Qn) HF m[n®(S?®n)] 


(n rri) 



The distribution of n®- over m|-| (first rule) holds in both directions as long m. 

The distribution of -Qn over m[-] (second and third rules) comes in two cases, depending 
on whether n-m. In each case, the right-to-left direction is derivable. From n[T]On F F we can 
derive «®T I — ^w|T|, which means that if a name n does not occur free in a process, the process 
cannot be a location named n. 
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The distribution of n®((-)Gn) over m|-| (fourth rule) is derivable in both directions, from 
the first two rules. Again, this rule can be rewritten as m|Sf| a n®T HI- m|S? a n®T| (n ^ m); that 
is, the name n docs not occur in a location iff it is distinct from the name of the location and it 
docs not occur inside the location. 

Finally, ® and Q commute in one direction: 

m®(S?On) h {m®Sff)Gti 

We now take the following set of rules as primitive (i.e., we verify their validity in the mod- 
el). The first group handles double revelation, distribution of ® over v, congruence of ® with h, 
the adjunction rule connecting ® and O, and the rather curious but very useful fact that -i com- 
mutes with ®. The other three groups deal with the interactions of ® and O with 0, I, and «[-]. 

3-1 Proposition (Validity: Revelation Rules) 



(®) 


\ x®x®S3Hhx®S3 


(®l) 


f- x®(S3l x®SB) Hh x®S3l x®SB 


(® ®) 


\ x®y®S3hy®x®S3 


(Ol) 


f- (S3l ‘3)Ox h S30x 1 “BOx 


(® V) 


\ x®(S3v*3) h x®S3 V x®S3 


(®OI) 


f- x®((S3l ‘3) Ox) h x®(S30x) 1 x®(‘30x) 


(® h) 


S3hSB f’ x®S3hx®SB 








(® O) 


'n®S3hSB ‘If- S3hSBO'n 


(® «[]) 


f- x®y[S3| Hh y[x®S3| 


(x=^y) 


(S-.) 


[• (-iS3)OxHI — ^(S 30x) 


(On||) 


f- y|S3|Ox h y|S30x| 


(xT^y) 


(O >F) 


I- S3^0xHhS5^ 


(Qnll) 


f- x|S3|Ox h F 




(® 0) 


f- x®0 Hh 0 








(OO) 


f- OOx h 0 □ 









From the mles that we have validated in Proposition 3-1 , we can derive a large collection of 
facts by logical deduction, including the following: 



3-2 Logical Corollaries (Case Analysis) 

Let C/be a classical predicate (typically, C/is a side condition of the form v y). 
(CA I a) I- (C/ a S?) I (C/a <3) HI- C/a (S? I <3) 

(CA I ^) ) (C/^ 91) I (C/^ <3) h C/^ (S?I <3) 

(CA n[] a) f- z[C/ A S?| Hh C/ A z[9!\ where z may occur in Cl 

(CA ® a) I" z®(C/ A S3) HF C/ A z®S3 where z may occur in Cl □ 



3-3 Logical Corollaries (Revelation) 

(Q ) I" 9lGxGx Hh 9lGx 
(Q Q) !■ S?Qy®x I- 9lGxGy 
(® Q R) (■ S3 1- (jc®S3)Qv 

!■ x®S3 1- (x®S3)<Sx 
(® Q L) !■ x®(S30x) I- S3 

f- x®(S3Qx) I- S30x 
(® Ql) |-x®((S3l‘3)Ox) 

Hh x®(S3Qx) I x®(S3Qx) 

(® I ®) \ x®(x®S3 1 x®‘3) Hh x®S3 1 x®‘3 
I" x®S3 1 xSSB Hh (x®S3l x®‘3)®x 
( I ® O) [• x®S3 1 x®(‘3Qx) h x®(S3 1 SB) 

(<S I ®) !■ S3Qx I x®S3 h (S3 1 x®‘3)(Sx 
(® v) f- x®(S3 V *3) Hh x®S3 V x®‘3 
(® a) f- x®(S3 A “3) h x®S3 A x®‘3 
hence: !■ x®S3 Hh x®S3 a x®T 
(® F) f- x®F h F 



(® I ) f’ S30x I x®(‘3Qx) h (S3 1 ‘3)<Sx 
(■ (S3 1 ‘3)®x h S3Qx I ‘3®x 
(O ®) (■ S30x h (x®S3)Qx 
hence: ) x®(S3Qx) h x®S3 
(® A ®) (■ x®(S3 A ‘3®x) Hh x®S3 A “3 
hcncc: r’ x®(‘30x) Hh x®T a *3 
(® V O) (■ x®(S3 V SSOx) h x®S3 v SB 
(Oh) S3h‘3 I- S30xh‘30x 
(® O I ) (■ x®((S3l ‘3)Ox) Hh x®(S30x) I x®(‘30x) 
(® O I ) f’ x®((S3l ‘3)Ox) h (x®S3)Ox I (x®‘3)Ox 
(® A I ) |-x®T A (S3I %) Hh (x®T aS3) I (x®T a <3) 
(® ^ I ) r- (x®T^S3) I (x®T^<3) h x®T ^ (S3 1 <3) 
(O «[]) f-y[S3|0xHhy[S30x] (x^y) 

(O «[]) f-x[S3|OxHhF 

(@ ®) ) (x®S3)@x Hh F 

(@ ® ^t) (■ (x®S3)@y Hh x®(S3@y) (x y) 
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(Q 


T) 


I- T Hh TOx 


(Q 


F) 


f* F0X Hh F 


(® 


V) 


[• (S? V (B)Qx Hh S?Ox V (BQx 


(Q 


a) 


\ {SS A ‘3)Qx Hh S?0x A “BQx 


(O 


0) 


[■Oh O0X 


(® 


-0) 


\ x®-i0 1 — iO 



(® Q rt| I) !■ x®(y|S?|S)x) HI- 3j|x®(S?<Sx)1 (x -t- y) 
(® A«[]) |-x®TA y[S9] HI-3 '[x®T aS9] (x^Ay) 
(Q ® ^x®(S?Qy) h (x®S9)Oy 

(® 3) !■ 3x.y®S? HI- y®3x.S? where x^y 

(® V) f- y®Vx.S? I- Vx.y®SS where x=^y □ 



Remark. The derived rule (® -lO) says that if we reveal a restriclcd name and find non-0, then the 
original process is also non-0. That is, non-O-ncss cannot be hidden by restriction. Consider, for 
example, the process P = (vn)w| |. Under many standard behavioral equivalences ~ we have P ~ 
0 1 1 1 1. However, we have P t= n®-iO, and hence by (® -lO), we have that P 1= — lO. This example 
shows quite clearly that our logic is finer than standard behavioral equivalences, and that it can 
inspect the structure of restricted processes. □ 



4 Fresh-Name Quantifier 

In this section we define a formula, Hx.S?, with the meaning “for fresh x, S?holds”. Here, “fresh” 
means, informally, distinct from any name that might clash with an existing name. 

The set of free (i.e., non-fresh) names that occur in a process or formula is always finite; 
hence sets of fresh names are always cofinite. (A cofinile set is the complement of a finite set with 
respect to an infinite universe, which, in our case, is the countable universe of names A.) If there 
is a suitable fresh x, then there are infinitely many of them, since a fresh name can be replaced by 
any other fresh name. Therefore, “freshness” can be expressed formally as the existence of a cofi- 
nite set of interchangeable names 1 10|. We use Fin(S) for the collection of finite subsets of a set S. 

4.1 The Gabbay-Pitts Property 

We would like to obtain the following property for l/lx.S?: 

P 1= Hx.S? <=i> 3me A. mifn[P,9l) a P 1= S?{x<— m) 

That is, P 1= Hx.S?iff there exists a fresh name m such that P 1= S?{x<— m). 

This definition is given by existential quantification over fresh names. Remarkably, there is 
an equivalent definition based on universal quantification. The equivalence of these two defini- 
tions is based on a deep property of the logic (Lemma 2-3), and will be used to great effect later. 
We state the equivalence as follows: there exists a fresh name m such that P 1= SS'fx^— m}, if and 
only if for all fresh names m we have P 1= S?{x<— m): 

4-1 Proposition (Gabbay-Pitts Property) 

VPeH, S?e<J>, NeFiti{A). 

N^fn{P,S^ a/v(S?) c (x) => 

(3meA. m(^AAPI=S?{x<— m}) o (VmeA. m^A=>PI=S?{x<— mj) 

Proof 

Assume A 3/«(P,S^ andfv(9!) c {x}. 

Case <=) Assume VmeA. m(tA^PI=S?{x<— m). Since Ais finite and A is infinite, there is ape A 
such that pi-N. Then, by assumption, P 1= S?{x<— p}. We have shown (3peA. p^N a P 1= 
S?{x<-p}). 

Case =>) Assume 3meA. mf.N a P I=S?{x<— m); in particular, m^fn{P,9f). Take any peAand as- 
sume p(tA. If p=m we have by assumption that P 1= S?{x<— p). Otherwise, if pi*m then 
p^Au{m}; since _^(P,S?{x<— m)) c Au{m), wc have that p^/n(P,S?{x<— mj). By applying 
Lemma 2-3 to the assumption P 1= S?{x«— m} we obtain P{m<^p} 1= S?{x<— OT}{OT'e-p); that 
is, P l=S?{x<— p). In both cases, we have shown that (VpeA.pjtA^ P l=S?{x<— p)). □ 
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4.2 A Gabbay-Pitts Logical Rule 

We now want to formulate a Gabbay-Pitts property similar to Proposition 4-1, but expressible 
within the logic. We arc going to use extensively the idiom:r#iV a x®T, for a quantified variable 
X. The first part of this conjunction says that the name x is fresh with respect to a given set of 
names N that usually includes the set of free names of a formula of interest. The second part says 
that jc is fresh in the “underlying process”, because P 1= n®T iff nf.fn(P). For a suitable choice of 
N, the whole conjunction can be understood as saying that x is “completely fresh”, both at the for- 
mula and process level, in a given situation. 

Notation 

• For NeFin{Aw&) we define the formula r|#Ai = AireAKil^^P)- 
For any P and closed m#N, we have P 1= m#N iff mfLN. 

• Let/nv(S?) = /n(S?)u/v(S5), so that/«v(S?)eFw(AuiJ) 

With this understanding, the following proposition states the single rule (schema) that we 
add to our logic in order to capture “freshness”, and establishes its soundness. Note that this mlc 
holds for open formulas. 

4-2 Proposition (Validity: Gabbay-Pitts) 

(GP) (■ 3x. x#N A x®T A S? HF Vx (x#N a x®T) => S? 
where AieF(n(Aud) and N ^fnv(S^-{x] andxfLN 

Proof 

Assume A 3 /«v(S?)-{x} and xiN. We need to show that the sequent is valid, that is that 
V 96 (/v(S^- (x) )— >A, FeTl. F 1= (3x. x#N a x®T a S3)<p <=i> F 1= (Vx. x#N a x®T => S^(p. 

(1 ) !■ 3x. x#N A x®T A S? h Vx. x#A a x®T ^ S? 

Take any (pe(/v(S?)-{x})— >A and Fell, and assume F 1= (3x. x#N a x®T a S^<p. That is, as- 
sume 3meA. miN^'ufiiiP) a F 1= S?<p{x«— m}, where N^'ufn(P)'3fn{P,9lisf) and /v(S?(p) c {x}. 
By Proposition 4-1, we obtain VmeA. m^Nif,ufii(P) => Pi= S?(p{x<— m}, that is F 1= (Vx. x#N 
A X®T ^ S?)(p. 

(2) f- Vx. x#Aax®T^S?F3x. x#Aax®T aS? 

Take any 9e(/v(S9)-{x})^A and Fell and assume F 1= (Vx. x#A a x®T ^ that is as- 
sume (VmeA. m(^A(pU/n(F) ^ F 1= S?(p{x<— m)), where A(pU/n(F) 2 /h(F,S?(p) and/v(S?(p) c 
{x}. By Proposition 4-1, we obtain 3meA. mfLN,fUfn{P) a F 1= S?<p{x<— m), that is F t= (3x. 
xitN A x®T A S?)(p. □ 

Remark. (GP) gives us a way to prove that VxS? F 3x.S?. This depends on the fact that the set of 
names is non-empty, and is obviously not derivable from the normal quantifier rules. Take N - 
fnv{9l)-{x}. Starting from S?F S?, by right weakening and quantifier introduction we obtain Vx. 
S? F Vx x#N A x®T => S?. Again starting from S? F S?, by left weakening and quantifier introduc- 
tion we obtain 3x. x#N a x®T a S? F 3x. S?. By (GP) we have Vx. x#N a x®T => S? F 3x. x#N a 
x®T a S?. Hence, by transitivity we obtain Vx. S?F 3x. S?. □ 

4.3 Fresh-Name Quantifier 

Without extending the syntax of our logic, wc can define quantification over fresh names, Mx.S?, 
as follows: 

4-3 Definition (Fresh-Name Quantifier) 

l/lx.S? = 3x. x#(/nv’(S?)-{x}) ax®T aS? □ 

Hence /n(l/lx.S?) =/n(S?) and/v(Hx.S?) =/v(S?)-{x). 

Note that the right-hand side of this definition depends on the set of free names and variables 
of S?. Therefore, this is not a definition within the logic, but rather a mcta-thcorctical definition 
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(or abbreviation) that should always be understood in its expanded form. Any general theorem or 
derived rule involving Mx.S? will in fact be a schematic theorem or rule with respect to the free 
names and variables of S?, in the same way that (GP) is a rule schema. 

By (GP) (Proposition 4-2) we have: 

l/bc.S? HI- Vx. x#fnv(9l)-{x} a x®T => S? 

In terms of satisfaction, we obtain: 

4-4 Lemma (P 1= l/lx.S?) 

P 1= MxS? 

iff 3meA. m^/n(P,S9) A P 1= m) 
iff VmeA. m^/n(P,S5) ^ P l=S?{x<— m) □ 

Therefore, Mx.S? can be understood as saying either that there is a fresh name x such that S? 
holds, or that for any fresh name x we have that S?holds. These formulations are equivalent be- 
cause of the cofinite nature of sets of fresh names. If there is a suitably fresh x such that S?holds, 
then any other fresh name will work equally well, so all fresh names will work. Conversely, if for 
all suitably fresh names S?holds, since any set of fresh names is (cofinite and hence) non-empty, 
there exists a fresh name for which S?holds. 

Remark. The meaning of 1/lx.S? when S?has free variables other than x is subtle. When we write 
Vk. ...n... we intend x to be fresh w.r.t. any existing name, and in particular n; similarly, when we 
write Mx. ...y... we intend x to be fresh with respect to any name denoted by y. Consider My. Mx. 
y=x; this formula should not bo valid. In fact, it is contradictory because, by definition, it means, 
3y. y®T a 3x. x4y a x®T a y=x. Similarly, Vy. Mx. y=x and 3y. Mx. y=x arc contradictory. (In- 
stead, Mx. 3y. x=y is valid.) □ 



The following rules are now derivable entirely within the logic: 



4-5 Logical Corollaries (Fresh-Name Quantifier) 



(M 3) Mx.S? HI- 3x. x#N a x®T a S? 

(M V) f- Vx. x#N A x®T => S? Hh Mx.S? 

(M-i) f- -.Mx.S?Hh l/lx.-6? 

(Ml) I- Mx.(S?l “3) Hh (Mx.S?) I (Mx.<3) 

(M h) S?l- "3 (■ Mx.S? I- Mx.*3 
(M^) I- Mx.S?HI-S? 

(Mn||) !■ Mx.y|S9] Hh y|Mx.S?l 
(MR) S?Ax#(VAx®Th‘3 S?hMx.‘3 
(ML) S? A x#N A x®T h *3 (■ Mx.S? h *3 
(ME) S?h Mx.'S; <3 A x-#A A x®T \-C \ 9l\- 



where Al3/nv(S?)-{x} andx^iV 
where A 3 /«v(S?)-{x} andx^A 



where xifv{91) 
where x^y 

where Al2/nv(‘3)-{x) andx ^ NuJv{SS) 
where Al3/nv(S?)-{x} andx ^ Aiu/l’(‘3) 
C where Ab/nv(‘3)-{x) and x^Aiu/v(C) □ 



Remark. Of particular interest (and difficulty) is the distribution of M over I, mle (Ml): 

!■ Mx.(S?l ^) Hh (Mx.S?) I (Mx.^) 

Distribution over I holds in one direction for universal quantification, in the other direction for 
existential quantification, and in both directions for fresh-name quantification. This rule can be 
understood informally as follows (this is a sketch of the formal derivation). In the left-to-righl di- 
rection we use the existential interpretation of M. Take any P; if P 1= Mx.(S9' I *3) then there arc a 
fresh name x and processes P’,P” such that P = P’\P" and P’ 1= S? and P” 1= *3. Hence, there is 
a fresh name x such that P ’ 1= S? and again a fresh name x such that P ” 1= '3 ; that is, P ’ 1= Mx.S? and 
P” 1= Mx.‘3. Therefore, P = P’ I P” 1= (Mx.S?) I (Mx.'3). In the righl-to-lcft direction we use the 
universal interpretation of M. Take any P; if P 1= (Mx.S5) I (Mx.'B) then there arc processes P’,P” 
such that P = P’ I P” andP’ 1= Mx.S?andP” 1= Mx.‘3. This means that for all names x’ fresh in P’ 
andS?, wehaveP’ l=S?{x<— x’l and for all names x” fresh in P” and *3, we haveP” 1= ‘3{x<— x”}. 
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Now, for all names y that are fresh in P S?, P ”, *3; we have that P ’ 1= y ) and P ” 1= %{x<^y } . 
That is, P = P’ I P” 1= Hy.(S?{x<— y) I y}) = l/br.(S?l “B). □ 

5 Hidden-Name Quantifier 

As discussed in the introduction, a hidden-name quantifier should be a construct of the logic that 
allows us to talk about restricted names in processes. We would like to define a formula (vx)S?to 
mean, informally, that ‘‘for hidden name x” (hidden in the underlying process), S? holds. The in- 
tention is that there should be some correspondence between the binder (vx) in the formula, and 
a binder (vn) in a process that satisfies the formula. We take: 

5-1 Definition (Hidden-Name Quantifier) 

(vx)S? = Mx.x@S? □ 

Hence /n((vx)S^ =fn{S^ and/v((vx)S3) =fv(S^)-{x], Moreover, by definition of 1/1: 

(vx)S? = 3x. x#/nv(S?)-{x) a x®T a x®S? 
and, because of Logical Corollary 3-3(® a), wc can simplify this to: 

(vx)S9 HI- 3x. x#/wv(S9)-{x) Ax®S? 

In terms of satisfaction, we obtain: 

5-2 Lemma (P 1= (vx)S?) 

PI=(vx)S? iff 

3meA. mi.fn{P,9!) a BP’efl. P = (vm)P’ a P’ 1= S?{x<— m) □ 

Wc have in fact experimented with several plausible definitions for the hidden-name quan- 
tifier, before converging on the one above. We have found that the following property, (vx-prop- 
er), distinguishes the definition above from other definitions of (vx)S? that turned out to be 
unsatisfactory or flawed: 

5-3 Proposition (vx-proper) 

For all neA, xei3. Pell, and closed S?e<J>: 
rtl^/n(P)API=(vx)(S?{n<-x)) « 3P’eH. P = (vn)P’ aP’ l=S? □ 

Corollary: P’ l=S? ^ (vn)P’ 1= (vx)(S?{n<— x)). □ 

This property can be written in logical form as n®T a (vx)(S?[n<— x}) HI- n®S?, for all n. 
Remark. It is natural to first consider the simpler properly: 

(vn)P’ 1= (vx)(S?{n<-x)) o P’I=S? (vx-1) 

The <= direction is equivalent to (vx-proper<=). However, the => direction is inconsistent with the 
fundamental Lemma 2-1. Start with n|| 1= n||. By (vx-l<=) we obtain (vw)«|| 1= (vx)x||. Since 
(Vn)n[] = (vn)(vn)n[], by Lemma 2-1 we obtain that (vn)(vn)n[] 1= (vx)x[]. Then, by (Vx-1=>) we 
obtain (vu)n[] 1= n[], that is (vn)n[] = n[], which is contradictory by Lemma 2-2(1). The problem 
is that we cannot expect a (vx) in the formula to match any (v«) in the process, but only an appro- 
priate one. Hence the refined statement of (vx-proper). □ 

The following rules for (vx)S? can be derived by the rules for revelation and fresh-name. 

5-4 Logical Corollaries (Hidden-Name Quantifier) 

(V V) f- Vx. (x#N A x®T) => x®S? Hh (Vx)S? where N ^fnv(S^-{x] and x i N 

(v3) f- (vx)S? HF 3x. .r#Af A x®T A x®S? where Aaihv(S?)-{x} andx ^ A 

HF 3x. x#N A x®S? 

(vR) S? A x#A A x®T F x®‘3 r'S?F(vx)^ 

(v L) x®S? A x#A F “3 S' (vx)S? F “3 



where A2/rtv(‘3)-{x) andx ft Au/v(S?) 
where As /rtv(S9)-{x} andx ^ A u_/v(‘3) 
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(vE) S?l- (vx)*®; x®"® A I- C }Sff\-C where Af3/«v(‘3)-{j:) andjc ^ Afu/v(Q 
(V h) S? I- S (• (vx)S? I- (vx)*® 

(v/v) 'f (Vx)(S?®x) HI- S? where X ^ _/v(S3) 

(vfv) f- S? I- (vx)S? where x ^ yv(S?) 

(V ®) (vx)(x®S?) HI- (vx)S? 

(v Q) [• (vx)(S?Ox) I- (vx)S? 

(V 0) f- (vx)0 Hh 0 

(v/i[]) f- (vx)y[S9] Hh y[(vx)S9] where 

(v I ) [• (vx)(S?l X®"®) Hh ((vx)S3) I ((vx)*®) 

(V S) I ) !■ (vx)(S?Ox) I fvx)(‘®<Sx) Hh (vx)((S?l ‘®)<Sx) □ 

Remark. We obtain Vx. x®S? h (vx)S? h 3x. x®S?. However, there are no interesting rules for 
-i(vx)S? □ 

Remark. This fails: 

!■ (vx)S? h S? where x^_/v(S?) 

because (v«)(n|| I «||) 1= Mxj:®(— lO I — lO) but (v«)(w|| I «||) — lO I — lO. This is ®’s fault, not Id’s: 
n®S? h S? fails with the same counterexample. □ 

Example 

As an example of a specification containing a hidden-name quantifier, consider a situation where 
a secret is shared by two locations n and m, but is not known outside those locations. 

We can state this as follows (recall that ©t| = -iri®T and that P 1= ©n iff nefn(P)): 

(vx) (n|©x| I m|©x|) 

It reads: for a fresh x, the name x is known at n and m, and is restricted anywhere else. 
Expanding the definitions, we obtain: 

P t= (Vx) (n[©x] I m[©x]) 

3reA. rifn(P)'u{n,m} a BR’,R”tn. P = (vr)(n[i?’] I m[R”]) a refn(R’) a refn(R”) 

The last line reads: P satisfies the specification iff there exists a name r that is fresh (not conflict- 
ing with n andm or public to P), such that r is known to the processes R’ and/?” located at w and 
m, and is restricted inside P. 

Here is a simple example of an implementation of this specification: 

P = (vp) (n[p[]] I m[p[]]) 

6 Related Work and Conclusions 

We have introduced a logic for describing concurrent processes with restricted names. Most pre- 
vious logics for concurrency have strived to describe properties that are invariant under some 
coarse process equivalence, such as bisimulation. Because of our original motivation in describ- 
ing location structures in detail, the properties described by our logic arc much finer, and arc in- 
variant only up to structural congmence (see also 1 14| for a recent characterization). Because of 
this, our logic is closely related to intuitionistic linear logic and to bunched logics: see |7| for a 
comparison. Our logic is unusual also because it handles variables ranging over a countable uni- 
verse of names; these variables can be the subject of universal, existential, fresh-name, and hid- 
den-name quantification. 

Our logic is built directly out of a process model, so logical soundness is easy to check. Log- 
ical completeness is a much more difficult question. We do not expect the full logic to be com- 
plete with respect to our model (even for finite behaviors). Silvano Dal Zilio is investigating some 
small, complete fragments of the logic. So far, we have mostly tried to discover as many true log- 
ical facts as possible (a measure of which is, for example, to be able to embed other logics into 
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ours |7|), and to minimize the collection of basic rules. We have concentrated in particular on 
commutation and distribution properties of operators that can be useful in formal proofs. 

In the present paper, fresh-name quantification is modeled after Gabbay and Pitts [10], 
adapted to our context; it provides logical rules for reasoning abstractly about freshness. Hidden- 
name quantification is obtained by combining fresh-name quantification with a revelation opera- 
tor (not a quantifier) for revealing restricted process names. Most novel axioms have to do with 
revelation; they often reflect and resemble well-known properties of 7i-calculus restriction. Tech- 
nically, we have added to our previous ambient logic just the revelation operator (and its adjunct) 
and an axiom schema expressing the Gabbay-Pitts property. In particular, fresh-name quantifica- 
tion, hidden-name quandfication, and their properties, are derived. 

Recently, we have become aware of related work by Lufs Caires (both [3] and more recent 
unpublished work). Our aims arc quite similar, but we arc cun'cntly using different formal tech- 
niques; we are in the process of comparing results. 
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Abstract. Using methods drawn from Game Semantics, we build a 
sound and computationally adequate model of a simple calculus that 
includes both subtyping and recursive types. Our model solves recursive 
type equations up to equality, and is shown to validate a subtyping rule 
for recursive types proposed by Amadio and Cardelli. 



Introduction 

Subtyping is an ordering relation over types that is an essential feature of a wide 
range of programming languages. While at first order subtyping corresponds 
to inclusion of the carriers, there is no simple set-theoretic interpretation of 
subtyping at higher order. 

Many programming languages also include recursive types — types that are 
defined implicitly, as fixpoints of maps over types. The interaction of recur- 
sive types with sub typing has been studied before @], and shown to present a 
number of interesting challenges. While both are important features of many 
programming languages, there are only few interpretations that satisfactorily 
model both. 

Game Semantics is a framework for modelling programming languages that 
combines the elegant mathematical structure of Denotational Semantics with 
explicitly operational notions. Due to the blend of the two. Game Semantics has 
been successful at modelling a wide range of programming language features. In 
a previous work |3, we have shown how the simple feature of adding explicit 
error elements to Game Semantics allows us to model subtyping; in this paper, 
we extend this model to include recursive types, and show that it validates the 
subtyping rule for recursive types proposed by Amadio and Gardelli 0. 

There are two main new results in this paper. First, we show how a minor 
modification of the operational semantics of the untyped model presented in an 
earlier makes the model computationally adequate f Sections II .ll a.nd 12.211 . thus 
solving the main open problem in our previous paper Pj. Second, we show how 
the space of games, used for modelling types, can be equipped with a metric 
that allows us to construct recursive types; the metric is shown to interact with 
the order structure related to subtyping so as to validate the desired subtyping 
rules (Sections 0 and 151 . 



S. Abramsky (Ed.): TLCA 2001, LNCS 2044, pp. 61-|2S| 2001. 
@ Springer- Verlag Berlin Heidelberg 2001 
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1 A A-Calculus with Errors 

We consider an untyped A-calculus with ground values, defined by the following 
syntax: 



M,N,N' ::= x | Xx.M \ {M N) 

I (M,N) \7:r{M) 

I tt I ff I top I if M then N else N' fi. 

The only unusual feature of this calculus is the presence of a ground value top 
that will be used for representing the result of badly-typed terms. 

Our calculus may be equipped with an operational semantics e.g. by defining 
a one step reduction relation on terms. For our calculus, a common choice — 
the call-hy-name semantics — consists of the rules 

{{Xx.M) N) M[x\N] 

TTl{{M,N))-^M TTr{{M,N)) N 

if tt then N else N' R N if ff then N else N' R N' 

M M' 

E[M\ E[M'\ 

where the set of evaluation contexts E[-] is defined by 

E[] ::= ([•] N) \ 7T/([-]) | 7Tr([-]) | if [•] then N else N' fi. 

In general, we will be interested in computations that take more than one step. 
The reduction relation is the transitive reflexive closure of 

We say that a term M reduces to value V, written M IV, if M V where 
is a value. We write M I when there exists a value V such that M I V, and 
M t otherwise. 

1.1 Errors in the Calculus 

The relation is not total; a number of terms do not reduce to values. This 
is expected, as we have done nothing whatsoever to prevent the formation of 
meaningless terms. 

Let 6 be the term Xx.{x x). The term (<5 5) does not reduce to a value; (J 5) 
leads to an infinite sequence of one-step reductions: 

(<5 5) {6 ,5) {6 S) . . . 

A very different example of a term that fails to reduce to a value is 
M = if Xx.x then tt else ff fi 

In this case, small-step semantics shows that the reduction remains “stuck” at 
a non- value term: there is no M' such that M M' . In our view, this situation 
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corresponds to a runtime error — an exceptional situation detected during the 
reduction of a term. As our calculus contains no constructs that allow us to 
handle (“trap”) such errors, we shall use the term untrappahle error. 

We will use the term top to represent untrappahle errors. Intuitively, a term 
should reduce to top whenever its reduction gets “stuck” with no applicable rule; 
unfortunately, such a simple extension does not quite work. Indeed, consider the 
“identity on the Booleans” IbooI = Aa;.if x then tt else ff fi; this term behaves 
as the identity when applied to a Boolean, but returns an error when applied to a 
function or a pair. Let now Y be a fixpoint combinator, and consider the “looping 
Boolean” (Y Ibooi); intuitively, we would expect this term to loop when invoked 
in a Boolean context, but return an error when e.g. applied. The reduction 
relation augmented as suggested above, causes it to loop (this problem is 
expressed technically by the failure of computational adequacy of our model 
w.r.t. I O Section 2.3]). 

We therefore define a different reduction relation, written JJ., which is ex- 
plicitly decorated with the locus of the computation. To do so, we introduce a 
notion of initial component, a finite sequence over {l,l,r} (the empty sequence 
is written e). Walking the syntax tree of a type, computation happening on the 
right-hand-side of an arrow is marked by 1; computation happening on the left- 
hand-side (resp. right-hand-side) of a product is marked by I (resp. r). A family 
of reduction relations, indexed by initial components, is defined in Fig. n 

As usual, we write M •ffc when there is no V such that M ij-cV. We write e 
for the empty component, and |c| for the length of component c. 

To clarify this definition, note that the form of a value resulting from reduc- 
tion at initial component c is determined by c. More precisely, if M is a closed 
term and c an initial component such that M JJ-c V, then one of the following is 
true: 

— V = top; or 

— c = e and ]/ = ff or ^ = tt; or 

— c is of the form 1 • c' and V is of the form Xx.M'; or 

— c is of the form I ■ c' or r ■ c', and V is of the form {N, P). 

Conversely, 

— if (M, N) JJ-c -P) then either c is of the form I ■ c' or r ■ d , or P — top; 

— if Xx.M JJ-c N, then either c is of the form 1 • c' or = top; 

— ttij.eN or ff JJ-c N, then either c = e or N = top. 

There is also a simple relationship between IJ. and the simple reduction re- 
lation it shows that the extension that we introduce only concerns erroneous 
reductions. Roughly speaking, the relations IJ. and i coincide, except in the case 
in which IJ. yields an untrappahle error and | diverges. More precisely, M i V 
implies that for some initial component c, M JJ-c V. Conversely, M f implies that 
for all c, either M •ffc or M JJ-c top. Finally, if for some c, M •fl'c, then M f. 

1.2 Errors and Denotational Semantics 

It is not immediately obvious how to model errors in Denotational Semantics. 
Consider for example the domain of Booleans. One choice would be to add an 
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tt JJ-e tt ff JJ-e ff tt JJ-c top 

Xx.M JJ-i-c \x.M Xx.. 

(M, AT) (M, AT) 

M Jli.c Xx.M' M'[x\N] . 
(M N) i}., P 

MUc{N,P) Ni}.,N' 
MM) J|c N' 

M JJ-i.c top 

tti{M) JJ-c top 



(c ^ e) ff JJ-c top (c 7 ^ e) 

If JJ-c top (c 7 ^ 1 • c') 

(M, N) JJ-c top (c = e or c = 1 • c') 

P M JJ-i-c top 

(M N) JJ-, top 

MMc{N,P) PJIcP' 

MM) JJ-c P' 

M JJ-r-c top 
TTr{M) JJ-c top 



M tt N -11-, N' 



M II., ff P P' 



if M then N else P fi JJ-, A^' if M then N else P fi |i, P' 

M JJ-e top 

if M then N else P fi JJ., top (c 7^ t) 

if M then N else P fi JJ., top 

Fig. 1. Big-step semantics with errors and initial components 



error value error “on the side” (Fig.|2Ua)); another one would be to add a value 
top as a top element (Fig. El(b)). 

It is our view that errors on the side model (trappable) exceptions, while 
errors at top model untrappable errors. Consider, indeed, the addition to our 
calculus of a term ignore-errors that would satisfy 

ignore-errors tt IJ., tt 
ignore-errors ff fj., tt 
ignore-errors top JJ., ff 

Denotationally, such a term would have to map tt to tt while mapping top to 
ff, which would be a non-monotone semantics. On the other hand, modelling an 
analogous term using error instead of top would cause no problem at all. 

Errors “on the side,” or exceptions, have been studied before P; in this 
paper, we adopt the domain in Fig. Hb). 

The addition of a top value to Scott domains was a common feature of 
early Denotational Semantics. However, this value does not seem to be used 
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top 



tt 




ff 



error 



tt 




ff 



_L 



(a) 



(b) 



Fig. 2. Two domains of Booleans with errors 



for modelling anything, but is just added to domains in order to turn them into 
complete lattices. 

1.3 Observational Preorder 

In order to complete the definition of the semantics of our calculus, we need to 
introduce a notion of equivalence of terms. This is usually done by defining a 
set of observations, which is then used to define a congruent preorder on terms 
known as the observational preorder. We choose our set of observations to consist 
of the observations “reduction to top at e,” “reduction to tt at e” and “reduction 
to ff at e,” ordered analogously to Fig. Hb). 

Definition 1. (Observational preorder) 



We say that two terms M and N are observationally equivalent, and write M = 
N, when M < N and N < M . 

As usual in calculi with ground values, the observational preorder can be 
defined by just one well-chosen observation; one possible choice is reduction to 

top at e. 

Lemma 1. M < N if and only if 



Informally, this lemma says that terms are equivalent if and only if they 
generate errors in the same set of contexts. 

It is worthwhile to compare our calculus with Abramsky’s lazy X-calculus Q. 
Writing 17 for the looping term {e.g. 17 = ((Ax.(x a;)) \x.{x a;))), notice that 17 
and Ax. 17 are observationally distinct. Indeed, taking 




VC[-] C[M] top ^ C[iV] 11, top. 



C[-\ = if • then tt else ff fi 
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we have C\fl] f|'e, while C\\x.Q] JJ-e top. On the other hand, as we shall see 
in Section 0, we introduce no explicit lifting in a sound and computationally 
adequate model. Thus, we believe that our calculus combines the most desirable 
characteristics of what Abramsky calls the standard interpretation of the A- 
calculus with those of the lazy calculus. The fundamentally call-by-name nature 
of the construction is reflected in the syntax by the fact that the terms top and 
Aa;.top are observationally equivalent (see the end of Section |^3). 

2 A Game Semantics for the Untyped Calculns 

This section roughly outlines the semantic framework used for modelling untyped 
terms. As Game Semantics has been described before and so has our 

particular framework IZil, this section remains informal. 

In Game Semantics, a term is represented by a strategy, the set of its be- 
haviours in all possible contexts. A behaviour is modelled as a play between two 
players. Player, who represents the term under consideration, and Opponent, 
who represents its environment (the context it is in) . The two players exchange 
tokens of information known as moves — one may think of these as (visible) 
actions in process calculi, or messages in message-passing object-oriented lan- 
guages. By convention. Opponent plays first when modelling a call-by-name 
calculus. 

Moves are structured into eomponents which correspond to paths in the syn- 
tax tree of a type. For example, a strategy corresponding to a term of type 
Bool Bool exchanges moves in components 0 (the left-hand-side of the ar- 
row) and 1. Precisely, a move is of the form TOc, where m is one of q, the question, 
a**, the answer true, or the answer false, and c, the component of the move, 
is a finite string over 0, 1, I, r. In addition, moves are decorated with justification 
pointers which, while absolutely necessary for the correction of the interpreta- 
tion, are not essential for the ideas in this paper. 

A position is an alternating sequence of moves — odd-ordered moves played 
by Opponent, even-ordered ones by Player. A strategy is a set of positions that 
specify the moves played by Player in response to a given sequence of moves 
from Opponent. 

The main novelty of the formalism used in this work and introduced in m is 
that we allow strategies to refuse moves, which is used for modelling untrappable 
errors. Goncretely, this is realised by allowing strategies to contain both even- and 
odd- length positions. In a spirit similar to that of Harmer jOl Ghapter 4], even- 
length positions represent moves that are played by Player, while odd-length 
positions represent situations in which player loops. 

Definition 2. A set s of positions is 

— prefix-closed if p ■ q G s implies p G s for any positions p and q; 

— even-prefix-closed if p ■ q G s and \p\ even imply p G s for any positions p 
and q; 

— deterministic if for any position p G s, if |p| is odd then, for any moves m 
and n, 
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— p ■ m € s and p ■ n G s imply m = n; and 

— p ■ m G s implies p ^ s. 

A strategy is a non-empty even-prefix-closed deterministic set of positions. 

For any collection of positions A, we write Pref A for the prefix completion of A. 

The even-prefix-closedness condition in this definition says that a strategy 
cannot mandate that Opponent should play at a given position: a strategy must 
allow for the situation in which Opponent never plays a move. As to the deter- 
minacy condition, it states that a strategy cannot mandate either playing two 
distinct moves or both playing and not playing a move at a given position. Taken 
together, even-prefix-closedness and determinacy imply that an odd-length po- 
sition in a strategy cannot be extended {i.e. if p G s and \p\ is odd, then no p - q 
is in s): once a strategy has refused to play a move, the play will not proceed 
further. 

In [Zj, we define a certain number of strategies. The strategy top consists 
of the single empty position e; this strategy never accepts an Opponent’s move. 
The strategy SI consists of all positions of length 1; thus, it always accepts an 
initial move from Opponent, but never plays a move. The strategy tt consists 
of all even- length positions composed of alternations of the moves q and a**; 
thus, it always accepts an initial question, and replies with the answer true (ff 
is analogous). 

The class of strategies that copy moves between components are known as 
the copy-cat strategies; this class includes the identity I, the projections T^r and 
TTi, and, to a certain extent, the “if-then-else” strategy ite. In addition, we use a 
number of operations on strategies, including (functional) pairing (•,•), currying 
A(-), as well as the injection K{-) which “shifts” a strategy into component 1. 

Composition of strategies s and t is performed by ranging over all behaviours 
in s and t, selecting those that are agree on a common component, and composing 
them, similarly to Baillot et al. 0. However, we cannot just use their formalism, 
as we need to take into account livelock, or infinite chattering, the situation 
in which two strategies never disagree but never have positions that coincide. 
Indeed, suppose that when composing s with t, after the initial move is played 
in component 1 of t, both t and s keep playing in the common component. In 
this case, the two strategies would never ultimately reach agreement, and yet 
neither would ever play a move that is not accepted by the other. 

Definition 3. Given a natural integer n, we say that two positions p and q 
agree at depth n if p and q only contain moves within components 1 and 0, and 
the prefix of length n of p \ 1 is equal to the prefix of same length of q (0 (or 
p \ 1 = q \ 0 if both projections are of length smaller than n). 

Given two strategies s and t, the strategy s; t is the set of all positions p such 
that for any natural integer n, there exist positions q G s and q' Gt such that q 
and q' agree at depth n, <7 f 0 = p ( 0 and q' f 1 = p ( 1. 

2.1 The Liveness Ordering 

We now introduce an ordering — the liveness ordering ^ — which will model 
the observational preorder, the typing relation, and the subtyping relation (Lem- 
mata 0 and E3 and Theorem 0, and is inspired by Abramsky’s “back-and- forth 
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inclusion relation” 0. The definition of the liveness ordering is analogous to 
that of the observational preorder. Just like for terms M and N we have M < N 
when M produces errors in less contexts than and N produces results in 
more contexts than M (Definition 0) , we will want strategies s and t to satisfy 
s ^ t if and only if s accepts more positions and produces less positions than t 
when playing against any given opponent. We define ^ on prefix-closed sets of 
positions, and deduce a suitable definition for strategies from that. 

For any non-empty position p, we write p-i for the prefix of p of length |p| — 1 
{i.e. p without its last move). 



Definition 4. Given non-empty prefix-closed sets of positions A and B, we say 
that B is more live than A, or A is safer than B, and write A ^ B, if 

— for every position of odd length q £ B, if q^i £ A then q £ A; and 

— for every position of even length p £ A (p ^ e), if p-\ £ B , then p £ B. 



The definition of ^ may be paraphrased as follows. Given a prefix-closed collec- 
tion of positions A, a position p is said to be reachable at A if p_i £ A or p = e. 
In order to have A ^ B, the set of odd-length positions (positions ending in an 
Opponent’s move) in A that are reachable at A needs to be a superset of the set 
of odd-length positions in B; and, dually, the set of even-length positions in B 
that are reachable at B should be a superset of the even-length positions in A. 
A clarification of the intuitions behind the liveness ordering may be found in 

d 



Theorem 1. The relation =4 is a partial order on non-empty prefix-closed col- 
lections of positions. 



The definition of ^ above does not yield a transitive or antirefiexive relation on 
arbitrary sets of positions. We may, however, extend ^ to all non-empty sets of 
positions by writing A ^ B whenever Pref(A) ^ Pref(B); while this only makes 
^ into a preorder on arbitrary sets of positions, it does actually make it into a 
partial order on strategies. 



Lemma 2. If s and t are strategies, then Pref(s) = Pref(t) implies s = t. The 
relation ^ is therefore a partial order on strategies. 

This property does depend on the fact that we have restricted ourselves to 
deterministic strategies. 



Subtyping Recursive Games 



69 



2.2 Interpretation of the Calculus 

We interpret a couple F h M, where F is an (ordered) list of variables, and M 
a term such that FV(M) C F. The interpretation is defined as follows. 



[[x h x]] = I 


[[F h Ax.M]] 


[[r, X h X]] = TTr 


IF h (M iV)]] 


ir, y\- x]]= TTf, [[r h x]] 


[[rh(M,iV)]] 


[[F h tt]] = iF(tt) 


[[TFttKM)]] 


[[F h ff]] = AT(ff) 


[[r h TTriM)]] 


[[T h top]] = top 


]]T h if M then 

= ([[Ab 



= A{lF,xhM\) 

= (lThM]],[[ThfVl);eval 

= HFhMUFhNj) 

= iF^Mliri 

= iF^MlTTr 

N else N' fij = 
Ml,([[ThiVl,[[rhiVl));ite 



The notion of soundness that we use is somewhat complicated by the fact 
that we use a family of reduction relations. Given a component c, we say that 
two strategies s and t are equal at component c, and write s =c t, when the sets 
of positions starting with in s and t coincide. 

Lemma 3. (Equational Soundness) If [[T h MJ is defined and M JJ-c N , then 
[[T h N]\ is defined and [[T h TV]] =i.c [T h M]]. 

The interpretation is also computationally adequate. 

Lemma 4. (Computational Adequacy) If [[T h MJ is defined and there is no 
term N such that M JJ-^ N , then [[T h M]] =i T. 

In order to prove this property, we use a variant of Plotkin’s method of formal 
approximation relations. We say that a family Oc of relations between strategies 
and terms, indexed by initial components, is a family of formal approximation 
relations when it satisfies a number of fairly natural properties that imply in 
particular that s M implies s =i T or M JJ-^. We then show the existence 
of such a family, and that for any closed term M and initial component c, 
IF h M]] <ic Af, which allows us to conclude by a standard argument. 

Soundness, computational adequacy and LemmaQ imply inequational sound- 
ness. 

Lemma 5. (Inequational Soundness) For any two terms M and N , if [[M]] ^ 
[[A^J then M < N. 

Inequational soundness can often be used for proving properties about the 
calculus itself. For example, as the terms top and Ax. top have the same inter- 
pretation, we may conclude that they are in fact observationally equivalent. 



3 Type Assignment and Subtyping 

In order to define a type assignment on our calculus, we assume the existence 
of a countable set of type variables X,Y, . . . and define the syntax of types as 
follows. 



A, B ::= Bool \ T \ X \ Ax B \ A ^ B \ fiX.C 
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where the type C is guarded in the type variable X. Thus, types consist of the 
ground type Bool of Booleans, the type T of all terms, type variables, product 
types, arrow types, and recursive types. 

The set of types guarded in a type variable X is defined by the grammar 

C, D :■= Bool \ T \ Y \ Ax B \ B \ ^Y.C 

In order to speak about subtyping of recursive types, we need a notion of co- 
variant type. The set of types covariant in a type variable X is defined by the 
grammar 

E,F ■.:= Bool |T|X|r|^;xF|G^£;| ^iY.E 

where G is contravariant in X] the set of types contravariant in a type variable 
X is defined by the grammar 

G, H ::= Bool |T|r|Gxi/|£:^G| ^lY.G 

An environment is a set of type variables and a map from variables to types. 
We use the letter E to range over environments, and write 

X,Y,x : G,y: D 

for the environment that specifies the free type variables X and Y, and maps x 
to G, y to D and all other type variables and variables to T. 

We use two kinds of judgements. A suhtyping judgement is of the form E h 
A < B and specifies that in the environment E, the type A is a subtype of the 
type B', we write E\-A = BioiEhA<B and E \- B < A. A typing judgement 
is of the form EV-M'.A and states that in the environment E, the term M has 
type A. 

The set of inference rules used for typing is given in Figures 0 and E Some- 
what unusual is the fact that there are no explicit rules for the folding and 
unfolding of recursive types; these rules can in fact be derived from the penul- 
timate rule in Fig. 0and subsumption (the last rule in Fig. OJ. The last rule in 
Fig. 0 is the subtyping rule proposed by Amadio and Cardelli 0. 



3.1 Games and the Liveness Ordering 

Types will be interpreted as games. A game is a set of positions that provide a 
specification that a strategy may or may not satisfy. 

As we use the liveness ordering to interpret typing, a game A provides not 
only a specification for Player but also a specification for Opponent. A strategy 
s belongs to the game A if its behaviour satisfies the constraints expressed by A, 
but only as long as Opponent behaves according to A; Player’s behaviour is oth- 
erwise unrestricted. Technically, this is expressed by the reachability condition 
in the definition of the liveness ordering. 

Definition 5. A game is a non-empty prefix-closed set of positions. 
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E\-M:T E,x:A^x:A 



E,x : A\- M : B 
E h Xx.M ■. A^ B 



E'r M-.A^B E'r N -.A 
E^ {M N)-.B 



S h tt : Bool S h ff : Bool 

E h M : Bool E^ N -.A E^ P ■. A 
E\- \i M then N else P Q. ■. A 

E^ M -.A E^ N -.B 
E^ {M,N) ■. Ax B 

E^ M ■. Ax B E\- M : Ax B 

E h 7T((M) : A EhTTriM) : B 

EhM:A EhA<B 
E\- M : B 

Fig. 3. Typing rules 



We write G for the set of games. 

The game T = {e} is the maximal element of the lattice of games. The game 
Bool of Booleans it is defined as the set of all interleavings of positions in Pref tt 
and Pref ff . The game Ax B consists of the set of the injections of all positions 
in A in the component I, the injections of all positions in B in the component r, 
and all interleavings of such positions. Finally, the game A ^ B consists of all 
positions p entirely within components 0 and 1 such that p f 0 is an interleaving 
of positions in A and p f 1 is an interleaving of positions in B. 



4 A Metric on Games 

In order to solve recursive type equations, we use Banach’s fixpoint theorem. We 
recall that a metric space is said to be complete when every Cauchy sequence has 
a limit. A map over a metric space (A, d) is said to be Lipschitz with constant 
A > 0 when for all x,y £ X, d(/(x),/(y)) < Ad(a;,p). Such a map is said to be 
nonexpanding when A < 1, and contractive when A < 1. 

Theorem 2. (Banach) A contractive map f over a complete metric space has 
a unique fixpoint fix(/). 

In order to solve recursive type equations using Banach’s theorem, we need 
to equip the set of games G with a metric that makes it into a complete space; 
furthermore, the metric should make all type constructors into contractive maps. 
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E\- A<A 



E\-A<B E\- B<C 
E\- A<C 



E\-A<T E\-T <A^T 



E\- A' < A E\- B< B' 
E\-A^B<A'^B' 



E\- A < A' E\- B< B' 
E\-AxB< A' xB' 



E h fiX.B[X] = B[fj,X.B[X]] 



E,X\- A[X] < B[X] 

E h )j.X.A[X] < fiX.B[X] 



{A, B covariant in X) 



Fig. 4. Subtyping rules 



Games, being prefix-closed collections of sequences, may be seen as trees, so it 
would seem natural to equip Q with the tree metric. Unfortunately, this simple 
approach does not yield enough contractive maps, failing in particular to make 
the product contractive. For this reason, we apply the tree metric method twice, 
once to components and once to positions. 

Definition 6. Let p = mo ■ ■ ■ m„_i be a position, and Mp the set of moves m 
such that p ■ m is a position. For any move m G Mp, the weight of m w.r.t. p is 
defined by Wp(m) = where c is the component of m. 

The ultrametric dp on Mp is defined, for distinct moves m, m' , as 
dp(m, m') = where c is the longest common prefix of the components of 

m, m' . 

We are now ready to define the metric on positions that will serve our needs. 
Given two distinct positions p and p' , either one is the prefix of the other, in 
which case we will use the weight of the first differing move, or neither is a prefix 
of the other, in which case we use the distance between the first differing moves. 



Definition 7. Given a position p = q ■ = mg • mi • • • m„_i • m„, the weight 

of p is defined as w(p) = 2“”wg(m„). 

The metric d on the set of positions is defined as follows. Given two distinct 
positions p, p' , let q = mg • • • m„_i be their longest common prefix. If 

p = q-mn-r, p' = q ■ m'^ ■ r' , 
then d{p,p') = 2“"dq(m„, mjj). On the other hand, if 

p = q-mn-r, p' = q, 
then d{p,p') = 2“"wg(m„). 
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Note that this metric does not induce the discrete topology on the set of posi- 
tions; games, however, are closed with respect to it, and therefore we may still 
apply the Hausdorff formula to games. 

Definition 8. The metric d on the set of games is defined by the Hausdorff 
formula 

d{A,B) = max(sup inf d(p, g),sup inf d{p,q)). 

As the space of positions is not complete, and games are not necessarily 
compaclQ, we cannot take any of the properties of Hausdorff’s metric for granted. 
However, a fairly standard proof shows that in fact d does have all the desired 
properties. 

Theorem 3. The space of games (f/,d) is a complete ultrametric space. 

There is another property that we will need in order to prove soundness of 
typing: the fact that least upper bounds preserve the ordering in some cases. The 
following property is simple enough to prove directly and is sufficiently strong 
for our needs: 

Lemma 6. If A is a game, then the order ideal {B \ B =4 A} is closed with 
respect to d. 

This is proved by considering a game C ^ A. li A contains a position p such 
that p ^ C but all strict prefixes of p are in C, we define the real number 6 as 
the minimum of the weights of all prefixes of p, and show that for any B ^ A, 
d{B, C) > 6. A similar argument applies in the case when p G C, p ^ A and all 
strict prefixes of p are in A. 

This property implies the following one, which we will need in order to prove 
soundness: 

Lemma 7. Let f,g'.Q^Q be monotone, contractive maps over games such 
that for any game A, f{A) =4 g{A). Then fix(/) ^ fix(g). 

Finally, as the metric was constructed ad hoc, it is a simple matter to show 
that all type constructors are contractive. 

Lemma 8. The maps over games ■ x • and ■ -A ■ are contractive in all of their 
arguments. 

5 Interpreting Types 

In order to interpret types, we need to give values to free type variables. A 
type environment is a map from type variables to games; we range over type 
environments with the Greek letter p. We write ? 7 [X\A] for the type environment 



^ Actually, they are in this case, but would no longer necessarily be so if we chose to 
use an infinite set of ground values. 
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that is equal to r] except at X, which it maps to A, and interpret types as maps 
from type environments to types as follows: 



[[Booljry = Bool [[A x B\t] = [[ 4 IJ 77 x \B\rj 



[[Tjry = T [A ^ B]]f^ = [[A]]r? ^ lB\r^ 



IX}7^ = ry(X) [[^^X.A[X]]ll^ = Rx{XX .lAKvi^XX])) 



The well-foundedness of this definition is a consequence of the following lemma: 



Lemma 9. If A is a type, then 

(i) [[A] is well-defined; 

(ii) [[AJ is a pointwise nonexpanding map; 

(Hi) if A is guarded in X, then [[Tl]](77[X\ff]) is contractive in X; 

(iv) if A is covariant (resp. contravariant) in X, then [[7l]](?7[X\A’]) is monotone 
(resp. antimonotone) in X . 

The four properties are shown simultaneously by induction on the syntax of 
types. The only issue with part (i) is that of the existence and unicity of fixpoints, 
which is a consequence of part (iii) of the induction hypothesis, the fact that we 
restrict the fixpoint operator to guarded types, and Banach’s fixpoint theorem. 
Parts (ii) and (iii) follow from Lemma 0 and the fact that d is an ultrametric, 
and part (iv) only depends on itself. 

5.1 Soundness of Typing 

The following lemma expresses the soundness of subtyping and is proved by 
induction on the derivation oi E\- A < A' . 

Lemma 10. (Soundness of subtyping) Let E be an environment, and A and A' 
types such that E \- A < A' . Let rj be a type environment; then [[Tljr^ ^ 

The main novelty in this lemma is the soundness of the last subtyping rule for 
the fixpoint operator; this is a consequence of Lemma 0 

Expressing the soundness of typing is slightly more involved, as we need to 
consider not only free type variables but also free variables. 

Theorem 4. Let E be a typing environment, M a term and A a type such 
that E \- M : A. Suppose that E = Xi, . . . Xn,xi : Ci,...Xm '■ Cm, and let 
r = xi, . . . Xm', let rj be a typing environment, and C be the type C = {■ ■ ■ (Ci x 
C 2 ) X • • • C^). Then lE h Mj 4 [[Ch ^ ^ 77 . 

The usual statement of the safety of typing — that “well-typed terms cannot 
go wrong” — translates in our setting into the statement that terms that have 
a non-trivial type do not generate untrappable errors. 

Corollary 1. (Safety of Typing) If H M : A, where M is a closed term and A 
a closed type such that [[ 4 l ]]0 T, then it is not the case that M IJ-g top. 
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6 Conclusions and Further Work 

In a previous work , we have shown how the addition of explicit untrappable 
errors to a simple A-calculus with ground values induces a notion of subtyping, 
and have shown a sound Game Semantics model of the calculus with explicit 
errors and subtyping. In this paper, we have shown how an minor modification 
of the operational semantics makes our model computationally adequate. We 
believe that this calculus combines the best features of the standard and lazy 
semantics of the A-calculus. 

In addition, we have shown how the model supports recursive types by using 
fairly standard machinery, mainly a variant of the tree topology, and Banach’s 
fixpoint theorem. By proving a property relating various order-theoretic and 
metric topologies, we have shown how our model validates the subtyping rule 
proposed by Amadio and Cardelli. 

There is, however, an issue remaining. In [ 7 ], we have shown how the model 
supports bounded quantification. As we note in j^, we have been unable to make 
recursive types and quantifiers coexist in the same model. Indeed, while there 
is no problem with quantifying over fixpoints, there is no apparent reason why 
a least upper bound of contractive maps should itself be contractive; the issue 
is analogous to the well-known lack of properties of intersection with respect to 
Hausdorff’s metric. 
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Abstract. We present a type inference algorithm for A-terms in Elemen- 
tary AfBne Logic using linear constraints. We prove that the algorithm 
is correct and complete. 



Introduction 

The optimal reduction of A-terms (PI; see Pj for a comprehensive account and 
references) is a graph-based technique for normalization in which a redex is never 
duplicated. To achieve this goal, the syntax tree of the term is transformed into 
a graph, with an explicit node (a fan) expressing the sharing of two common 
subterms (these subterms are always variables in the initial translation) . Giving 
correct reduction rules for these graphs is a surprisingly difficult problem, first 
solved in IHB One of the main issues is to decide how to reduce two meeting 
fans, for which a complex machinery and new nodes have to be added (the 
oracle). There is large class of (typed) terms, however, for which this decision 
is very simple, namely the terms typeable in Elementary Logic, both in the 
Linear H (ELL) and the Affine P (EAL) flavor. Indeed, any proof-net for ELL 
or EAL may be (optimally) reduced with a simple check for the matching of fans. 
This fact was first observed in then exploited in to obtain a certain 

complexity result on optimal reduction, where (following IIUI 1 we also showed 
that EAL-typed A-terms are powerful enough to encode arbitrary computations 
of elementary bounded Turing machines. We did not know, however, of any 
systematic way to derive EAL-types for A-terms, a crucial issue if we want to 
exploit in an optimal reducer the added benefits of this class of terms. This is 
what we present in this paper. 

Main contribution of the paper is a type inference algorithm (Section 0 
and Appendix), assigning EAL-types (formulas) to type- free A-terms. A typing 
derivation of a A-term M in EAL consists of a skeleton - given by the derivation 
of a type for M in the simple type discipline - together with a box assignment, 
essential because EAL allows contraction only on boxed terms. The algorithm 
tries to introduce all possible boxes by collecting integer linear constraints dur- 
ing the exploration of the syntax tree of M. At the end, the integer solutions (if 
any) to the constraints give specific box assignments (i.e., EAL-derivations) for 

S. Abramsky (Ed.): TLCA 2001, LNCS 2044, pp. 76-T!71 2001. 

@ Springer- Verlag Berlin Heidelberg 2001 
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M (for other approaches to the boxing of intuitionistic derivations, see [313). 
Correctness and completeness of the algorithm are proved with respect to a nat- 
ural deduction system for EAL, introduced in Section t^.ll together with terms 
annotating the derivations. For such term calculus we prove the main standard 
properties, including subject reduction. 



1 Elementary AfRne Logic 



Elementary Affine Logic P (Figure DJ is a system with unrestricted weakening, 
where contraction is allowed only for modal formulas. There is only one exponen- 
tial rule for the modality ! {of- course, or bang), which is introduced at once on 
both sides of the turnstile. Cut-elimination may be proved for EAL in a standard 
way. 



-IT: 7 

A Leal A 



r Leal A A, A Leal B 
r, A Leal B 



cut 



r Leal B 
r, A Leal B 



weak 



r, !A, !A Leal B 
r, \A Leal B 



contr 



r, A Leal B B Leal A B, A Leal C 

TI-ealA^B r,A ^ A Leal C 

Ai, . . . , A„ Leal B ^ 

\Ai, . . . , \An I-eal! 7 J 



Fig. 1. (Implicational) Elementary Affine Logic 

A simple inspection of the rules of EAL shows that any A-term with an EAL 
type has also a simple typ43- Indeed, the simple type (and the corresponding 
derivation) is obtained by forgetting the exponentials, which must be present in 
an EAL derivation because of contraction. 

The idea underlying our type inference algorithm is simple: 

1. finding all “maximal decorations”; 

2. solving sets of linear constraints. 

We informally present the main point with an example on the term two = 
Xxy.{x{x y)). One (sequent) simple type derivation for two is: 



w:a\-w\cx. y.cx.\-y.(y. 
x\Oi—^OL,y.a.\-{x y):a z\a.\- z\cn 
x:a.—^Oi,x\Oi—^OL,y.a.\-{x{x 
x‘.ct—^a,x:oc—¥cx\-Xy.{x{x y)):^—^^ 
x:oi—^a\-Xy.{x{x y)):o'—¥oc 
\~Xxy.{x{x y)):{a—^Oi)—^OL—^a 



^ However there are simply typed terms not typeable in EAL, see p. 
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If we change every — >■ in — the previous derivation can be viewed as the 
skeleton of an EAL derivation. To obtain a full EAL derivation (provided it 
exists), we need to decorate this skeleton with exponentials, and to check that 
the contraction is performed only on exponential formulas. 

Let’s produce first a maximal decoration of the skeleton, interleaving n ! 
introduction rules after each logical rule. For example 



w:(x\-w:o' y:a\-y:cx 
x:oc — oa,y:oc\-{x y):oc 



becomes 

w.cithwia y:oc\-y:oL 

jni 1^2 

w:o'\-\^'^ w:oc \^‘^y:oc\-\^‘^y:cx 

a— o!”"! a,y:!'™2 yyA'^ia 

where ni and ri2 are fresh variables. We obtain in this way a meta-derivation 
representing all EAL derivations with ni,ri2 G IN. 

Continuing to decorate the skeleton of two (i.e. to interleave Ui ! rules) we 
obtain 



w:a\-w:a ^ y:a\-y:a ^ 

w:l^^ ahw.l^^ a ' ahy:\^^ a 

a,y:\’'2 ah{x i /):!” 1 q z-ahz-a 

= l"3 ' |*i4 

x:l"3(l"2a^l"la),y.r2+"3ah(x i/):!”i+" 3 a z:!” 4 q,|-z:!" 4 q ' 

x:!"i+"3a^!"4a,x:!’’3(!'‘2a^l"la),y:\"2+"3ah(x(x y)):!"4a 
3,.|»*5(!"l+"3Q^!"4Q,)_2,,!"3 + »5(!'>2Q,^!"lQ)_y.!»2+»3+"5Q|-(a;(a; y)):!"4 + '‘5Q, 
x:l"3(l'‘i+'‘3a^l"4a)^x:!"3+"3(!'^2a^ria)hAy.(x(x y)):!'*2+«3+"5Q^!’»4+n5Q 

l"6 

a;:!"5+"6(!"l+»3Q^!"4Q)_a;:!«3+"5+"6(!"2Q^!"lQ)|-Ay.(a:(a: y)):!”6 (!"2+"3+"5 q^!"4+"5q) 

x:l'‘3+'‘6(!"l+«3a^!'‘4a)hAy.(x(x y)):!"6 (!"2+«3+"5 q,^!"4+«5 „) 

The last rule - contraction - is correct in EAL iff the types of x are unifiable 
and banged. In other words iff the following constraints are satisfied: 

ni,n2,n3,n4,ri5,n6GlN A 715=713+725 A 711+713=712 A 714=711 A 7 i 5 +n 6 >l. 

The second, third and fourth of these constraints come from unification; the 
last one from the fact that contraction is allowed only on exponential formulas. 
These constraints are equivalent to 

71i,7l5,7l6GlN A 17-3=0 A 711 = 712=714 A 7l5+7l6>l. 

Since clearly these constraints admit solutions, we conclude the decoration pro- 
cedure obtaining 



a::!" 5 +'‘ 6 (!»lQ^!"lQ)|-Ay.(a;(a; y )):!"6 (!"i +”5 q^!"i +»5 a) 
^\xy\x(x y)):!”5+"6(!"lQ,^!"lQ,)^!»6(!»l+"5Q,^!»l+"5o,) 
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Thus two has EAL types !"5+"6 (!"iq; — o!”® (!"i+"5q, _oI"i+"5q,^^ fQj. 

ni, ns, riQ solutions of 

ni ,ri5 jneGiN A n5+n6>l. 

We may display the full derivation in a more manageable way, representing 
the skeleton with the syntax tree of the lambda term with edges labelled with 
types and adding boxes representing the ! introduction rules, as in Figure El 

In5 + ng ^,Ti;^+n3 (!^2 +^3 + ^5 — o!’^4 + '^5) 

\x 

!^6 (!^2+^3 + ’^5 _o!^4 + ^5) 

!^2 + ”'3+Ti5 _o!’T'4 + ^5 




Fig. 2. Meta EAL type derivation of two. 

Finally notice that at the beginning of this section, we started with “one 
(sequent) derivation’’'’ for two (there are other derivations, building in a different 
way the application x{xy))). If that derivation had produced an unsolvable set of 
constraint, the procedure should restart with another derivation. To avoid this 
problem, our search for maximal decorations (i.e., the collection of constraints) is 
not performed on sequent derivations, but on the syntax tree of the term. How- 
ever, the fact that multiple derivations for a term and principal type scheme are 
possible, will surface again. It may happen that a solution to a set of constraints 
corresponds to more than one derivation (a superposition of derivations), with 
non compatible box-assignments. In this case. Lemma Elensures that compatible 
box assignments may be found. 

2 Type Inference 

A class of types for an EAL-typeable term can be seen as a decoration of a simple 
type with a suitable number of boxes. The main contribution of the paper is an 
algorithm collecting integer constraints whose solutions corresponds to proper 
box assignments. 

Definition 1. A general EAL-type 0 is generated from the following grammar: 

0 ::= o|0^0|!"i+-+”''0, 
where n\, . . . ,Uk are variables ranging on integers 7A. 
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Definition 2 (Type Synthesis Algorithm). Given a simply typeable lambda 
term and its principal type scheme M : a, the type synthesis algorithm : cr) 
returns a triple {0,B,A}, where O is a general EAL-type, B is a base (i.e. a 
multi-set of pairs variable, general EAL-type) and A is a set of linear constraints. 

The algorithm T(M : a) is defined in the Appendix. One of the crucial issues 
is the localization of the points where derivations may differ for the presence 
or absence of boxes around some subterms. This is the role of critical points, 
managed by the boxing procedure, 2S (see E3). 

Proposition 1 (Termination). Let M be a simply typed term and let a be its 
most general type. : cr) always terminates with a triple {0,B,A). 

The algorithm is exponential in the size of the A-term, because to investigate 
all possible derivations we need to (try to) box all possible combinations of 
critical points (see the clauses for the product union, UU, in lA.411 . 

Correctness and completeness of T are much simpler if, instead of EAL, we 
formulate proofs and results with reference to an equivalent natural deduction 
formulation. 



2.1 NEAL 

The natural deduction calculus (NEAL) for EAL in given in Figure 0 after ^ 

im . 

Lemma 1 (Weakening). Lf E Lneal ^ then B, E Lneal 



r Lneal \A A,\A,\A l“NEAL B 


r, A Lneal A E, A Lneal B 

E, A Lneal B E Lneal A^ B A Lneal A 

E Lneal A ^ B E, A Lneal B 

Ai Lneal!Ai • ■ ■ An Lneal!^?! Ai, . . . , A„ Lneal B 
E, Ai, . . . , An Lneal!B 



contr 

E) 



I 



Fig. 3. Natural Elementary Affine Logic in sequent style notation 

To annotate NEAL derivations, we use terms generated by the following 
grammar {elementary terms): 



M::=x\ Xx.M \{M M)\\ (M) [M/x, ..., M/x] \ ||M|1^^ 

Observe that in ! (M) [M/x, . . . ,M/x], the [M/x] is a kind of explicit substi- 
tution. To define ordinary substitution, define first the set of free variables of a 
term M, FV(M), inductively as follows: 



Typing Lambda Terms in Elementary Logic with Linear Constraints 



81 



— FV(x) = {x} 

— FV(Aa:.M)=FV(M)\{a;} 

— FV(Mi M2 )=FV(Mi)UFV(M2) 

— FV(!(M)[Mi/a;i,...,M„/a:„])=U'‘=i FV(Mi) 

— FV(||M||^^^^^) = (FV(M)\{a:i,a:2})UFV(Ar) 

Ordinary substitution N{M/x} of a term M for the free occurrences of x in 
N , is defined in the obvious way. The (pedantic) exponential cases are as follows: 

1. \(N)[Pi/xi,...,Pn/xn\{M/x} = \(N{yi/x-i}---{yn/xn}{M/x})[P-i{M/x}/yi,...,P„{M/x}/y.n] 
if x^{xx,...,xr,}, where yi,...,yn are all fresh variables; 

2. \{N)[Pi/xi,...,Pn/Xn]{M/x} — \(N)[Pi{M/x}/xi,...,Pn{M/x}/Xn] if^zS.t. Xi—X] 

3- \\N\\l^^{M/x)=\\N{y' /y}{z ' if x^{y,z}, where y' ,z' are fresh vari- 
ables; 

4. l|Af||f, 2 {M/a;} = ||Ar||^i*^/»> if xd{y,z}. 

Elementary terms may be mapped to A-terms, by forgetting the exponential 
structure: 

— X* —X 

— {\x.My=\x.M‘ 

— (Ml M2)* = (M* Mj) 

— (!(M)[Mi/a:i,...,M„/a:n])*=M*{Mi /a:i,...,M;/a:„} 

Definition 3 (Legal elementary terms). The elementary terms are legal 
under the following conditions: 

1. X is legal; 

2. Xx.M is legal iff M is legal; 

3. (Ml M 2 ) is legal iff Mi and M 2 are both legal and FV(Mi) riFV(M 2 ) = 0; 

4- . ! (M) [Mi/xi , . . . , Mn/xn] is legal iff M and Mi are legal for any i 1 < i < 

n and FV(M) = {x\, . . . , Xn} and [i j ^ FV(Mi) fl FV{Mj) — 0); 

legal iff M and N are both legal and FV(M) riFV(7V) = 0. 

Proposition 2. If M is a legal term, then every free variable x G FV(M) is 
linear in M . 



Note 1. From now on we will consider only legal terms. 

Notation. Let T = {x\ : Ai,. . . ,Xn : An} be a basis. dom{r) = {x\, . . . ,Xn}; 
r{xi) = Ay r \V = {x : A\x gV A A = T{x)}. 

Legal terms are the ones induced by the Curry-Howard isomorphism applied 
to NEAL-derivations (see imni for different approaches to Curry-Howard iso- 
morphism for Linear and Light Linear Logic). The term assignment system is 
shown in Figure 0 where all bases in the premises of the contraction, — ° elimi- 
nation and !-rule, have domains with empty intersection. 
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A,x-.\A,y.\A'^ N ■. B 



r,x ■. A\- X \ A 

r,x : Ah M : B 
r h Xx.M ■. A^ B 



H I) 



r,Ah\\N\\2^-.B 



Bh M ■. A^B Ah N ■. A 
r,Ah {M N) ■. B 



contr 



H E) 



A\ h Ml :!yli • • • An h M„ :!M„ xi : Ai, . . . ,x„ : A„ h N : B 
r,Al,...,Anh\ (N) [Ml/xi,. . . , Mn/Xn] .\B 



Fig. 4. Term Assignment System for Natural Elementary Affine Logic 



Lemma 2. 1. If F Lneal M : A then FV(M) C dom{r); 

2. if F Limeal M : A then F f FV(M) Lneal AI : A. 

Lemma 3 (Substitution). If F,x : A Lneal M : B and A Lneal N : A and 
dom{F) n dom{A) = 0 then F, A Lneal M{N/x} : B. 

Theorem 1 (Equivalence). F hsAL A if and only if F Latbal A. 



Lemma 4 (Unique Derivation). For any legal term M and formula A, if 
there is a valid derivation of the form F Lneal M : A, then such derivation is 
unique (up to weakening). 

Although we are not interested in this paper in the dynamics (i.e., normal- 
ization) of NEAL, a notion of reduction is needed to state and obtain our main 
result. We have first two logical reductions (— and — >-dup) corresponding to the 
elimination of principal cuts in EAL. The other five reductions are permutation 
rules, allowing contraction to be moved out of a term. 

{Xx.M N) -A 0 M{N/x} 



x,v 



^dup 






\{M)[^-/x^, ■ ■ ■ (XmPFvu-FMvm] . . . M„ 

\{M{N/x^})[^-/x^,■ • • /Vm, ■ ■ /Xn] 



Ml 


Mn 











mC\^, N) 



\\{M{x[/xi,xyx 2 } iV)|| 



Ml 



!(M) 



Ml 



/xi, • • • /xi, /Xn] -h\-c 

!(M)[“’i/xi, • • • Mi{y'/y,z'/z} j . . . Mn jy.^ 



N 



y',z' 
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~^c-c 


Vl,V2 




-^X-c 


Ax.M 1^^ where x ^ FV(A) 


where M' in the — ^►ciup-i'ule 


is obtained from M replacing all its free variables 



with fresh ones {xi is replaced with y^); x'l and x'2 in the — >-@_c-rule, y' and z' 
in the — >-!_c-rule and y'l^y^ in the — >c-c-rule are fresh variables. 

Definition 4. The reduction relation on legal terms is defined as the reflexive 
and transitive closure of the union 0/— >-/3, —?>dup, —>■!-!, —i’la-c, 

Proposition 3. Let M N and M be a legal term, then N is a legal term. 



Proposition 4. Let M— where r is not then M* = N* . 

Lemma 5. Let M be in {dup,\—\,@ — c,\ — c,c — c, X — c} -normal form, then 

1. if R = ||lV||^y is a subterm of M , then either P = (Pi P2) or P is a variable; 

2. if R =! (N) [Pi/a;i, . . . , Pk/xk] is a subterm of M, then for any i € {1, . . . ,k} 
either Pi = {Qi Si) or Pi is a variable. 



Theorem 2 (Subject Reduction). Let P Lneal M : A and M N, then 
P b|\|EAL N : A. 



2.2 Properties of the Type Syntesis Algorithm 

Lemma 6 (Superimposing of derivations). Let T(M : cr) = {0,B,A) and 
let A be solvable. Lf there is a solution Xi of A that instantiates two boxes 
belonging to two superimposed derivations that are not compatible, then there 
exists another solution X 2 where all the instantiated boxes belong to the same 
derivation. 

Moreover the instantiations 0',B' of 0,B using Xi and the instantiations 
0" , B" of0,B using X 2 are identical. 



Proof, (sketch) We may think of boxes as levels; boxing a subterm can then be 
seen as raising that subterm, as in Figure 0, where also some types label the 
edges of the syntax tree of a simple term. In particular, the edge starting from 
the @-node and ending in xq has label (a (/3 — o y)) at level 0 (nearest to 
xq) and has label {a ^ 7 )) at level U 2 . This is the graphical counterpart 

of the !-rule 



.■.,xq:T,...\-... 

...,Xo:!"=P,...F... 



|"2 



The complete decoration of Figure 0 can be produced in NEAL in two ways: by 
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!" 1+"2 72 




Fig. 5. Boxes can be viewed as levels. 



the instantiation of 

!”^ ((((xo xi)y){{x4 X5)w))) [{X2 x^)/y, {xq x^)/w\ 

anc 0 

!”1 {{{z{x2 X3)){{X4 X5)w))) [(xq a;i)/z, (X6 X7)/w], 

which are boxes belonging to two different derivations. Graphically such an in- 
stantiation can be represented as in the first row of Figure El where incompat- 
ibility is evident by the fact that the boxes are not well stacked, in particular 
the rectangular one covers a hole. To have a correct EAL-derivation it is neces- 
sary to find the equivalent, well stacked configuration (that corresponds to the 
subsequent application of boxes from the topmost to the bottommost). 

The procedure by which we find the well stacked box configuration is visu- 
alized in Figure El The reader may imagine the boxes subject to gravity (the 
passage from the first to the second row of Figure El) and able to fuse each other 
when they are at the same level (the little square in the third row fuse with the 
solid at its left in the passage from the third to the fourth row). 

The “gravity operator” corresponds to finding the minimal common subterm 
of all the superimposed derivations and it is useful for finding the correct order 
of application of the ! rule. The “fusion operator” corresponds to the elimination 
of a cut between two exponential formulas. Moreover, the final configuration of 
Figure El corresponds to a particular solution of the set of constraints produced 
by the type synthesis algorithm, that instantiates the following boxes: 

!”i (!”i (((z u;)((a :4 2:5)^))) [(a:o xi)/z\) [{x 2 2:3)/^]) (xe x^)/t\ 

Finally, notice that during the procedure all types labelling the boundary 
edges of the lambda-term never changes, i.e. the instantiations of the term type 
(the label of the topmost edge) and the base types (the labels of the edges at 
the bottom) remain unchanged. 

^ The correct legal terms should have all free variable inside the square brack- 
ets. We omit to write variables when they are just renamed, for readabil- 
ity reasons (compare the first elementary term above with the correct one 
((((*0 Xl)y){{XA X5)'w)))[x'o/xo,x'i/xi,{X2 X3)ly,x'A/XA,x'<ilX5,{Xf3 X7)/w]). 
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Fig. 6. Equivalences of boxes. 



Theorem 3 (Soundness). Let &’{M : a) = {0,B,A). For every X integer 
solution of A, and B',&' instantiations of B and 0 using X, there exists P 
elementary term sueh that P* = M and B' \- P : 0' is derivable in NEAL. 

Proof. By induction on the structure of M , using the superimposing lemma. 

Theorem 4 (Completeness). Let P Lneal P '■ 'd/ and let P be in {!— !,@ — 
c, ! — c, c — c, A — c, dup}-normaZ /orm with eontraetion only on variables 
is a subterm of P only if Q is a variable). Let if{P* : F) — {0, B, A) , where E is 
the erasure ofF, i.e. the simple type obtained from F erasing all ! and eonverting 
—o in — >■, then there exist X integer solution of A sueh that the instantiation B' 
of B using X is a subset of P and P is the instantiation of 0 using X and 

B' Kneal P '■ d'- 

The request on the {!— !,@ — c, ! — c,c — c,A — c, dup}-normal form is not a loss 
of generality, for the subject reduction lemma and Proposition 0 By Lemma El 
the only restriction is the exclusion of elementary terms with subterms of the 
form II . In a sense, these terms “contract too much”. Indeed, it could be 
the case that a term P is elementary thanks to the sharing of a /3-redex (inside 
(Qi Q 2 ))- However, the corresponding A-term P*, cannot share any redex - 
there is no sufficient syntax for this in the A-calculus - hence P* could be not 
elementary. As we discussed in the Introduction, our aim is to identify A-terms 
that are reducible using optimal reduction without the oraele needed for the 
correct matching of fans. The NEAL terms excluded in the completeness theorem 
corresponds to EAL proof-nets which are not (the initial encoding of) A-terms, 
since they contract an application. 
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Conclusions 

We presented a complete algorithm to derive EAL- types for A-terms. One of 
our main goals is the characterization of those terms that can be optimally 
reduced without the oracle, for which EAL-typeability is a sufficient condition. 
One should not see (N)EAL as a programming language; instead, it is a kind of 
intermediate language: if a A-term is typeable in EAL, then we can compile it 
in a special manner with excellent performances during reduction, otherwise we 
compile it in the usual way, using the oracle. To get a more powerful (and, to 
a certain extent, flexible) language, a major development of this work would be 
the extension of our algorithm to second order EAL. 

The same technique of this paper may be applied to Multiplicative Exponen- 
tial Linear Logic. However, to treat dereliction, the number of constraints grows 
in an exponential way. 

We believe techniques similar to those we used in this paper may be applied to 
type-inference for Light Linear (or Affine) Logic (LLL), a system characterizing 
polytime. A type-inference for LLL would be a uniform proof-technique to prove 
polynomiality of certain algorithms. 

A puzzling open problem is whether there exist terms yielding constraints 
with only non integer solutions. Of course they have to be non EAL- typeable 
terms, in view of our completeness theorem. Our estensive experiments never 
produced such a scenario, yet we could not prove that the constraints have 
always integral solutions. Would there be any logical meaning for a term with a 
non integral number of boxes? 

Acknowledgments. Harry Mairson provided useful criticism and comments 
on the form and the substance of the paper. 
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A Appendix 

In the following n, ni, ri 2 are always fresh variables, o is the base type. Moreover, 
we consider (!"^6>) syntactically equivalent to The list of free variable 

occurrences FVO is defined as follows: 

1. FVD(x) = [x]; 

2. FVD(Aa:.M) = FVO(M) - x; 

3. FVD((Mi M 2 )) = FVO(Mi) J- FVD(M 2 ) (the concatenation of lists). 



A.l Unification: Tl 



= ^{02i,...,02„)=A2 









U Uife=0Ai;A2 



A. 2 Contraction (C) and Type Processing (SI*) 



Tl(!"i+''+’*fcei,e2,...,'9fc)=A 



C(0)=0 



C0 






niH hnfe>l 



5^(o)-{!^o,n>0) 



po 



Where Oi is either F —o A or o. 

'3'icr) = {0,Ai) ^(r) = (r,A 2 ) 

'3>{a^T) = {T(0^r),n>O Ai A 2 ) 



P->- 
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A. 3 Boxing: 

The boxing procedure superimposes all boxes due to the existence of critical 
points. Every time there are two possible EAL-derivations for the unique simple 
type, there is a critical point. For example during the type synthesis of 



x:a—^Oi,x:(y—^a,y:oL\-{x{x y))'^ 

we need to try all possible decorations of both derivations below 



x:0L—^0',y:(y\-{x y):<y z:ahz:(y 
x:o:—>-a,x:a—>-Q:,y:ah(x(x y)):a 



y.cxhy.a z:a,x:a->-Q;h(xz):a 
x:a—>^CK,x:a—>^a,y:Q;h(x(x y)):ct 



In our graphical notation, the two decorations appear as follows (the one cor- 
responding to the first derivation is at the left; the star indicates the critical 
point): 





When is called during the synthesis of (x(x y)), the base B is something 
like {a: :!”^a —o!^^a,x where the first x is the 

leftmost in the figure, the type B of (x(x y)) is !"^a, the set of critical points 
cpts is {(n 4 + nQ — rii = 0, [a;,y])} and the set of constraints A is {n 4 + riQ — ni = 
0; ri 5 — ri 3 = 0} (see inference rules in lA.511 . 

At that stage of the type synthesis procedure, the decoration corresponds 
to the first one (the two constraints are needed for the correct type matching 
between the two occurrences of x and the respective arguments). SS superimposes 
the second derivation, adding nr boxes as in the second figure, obtaining the 
superimposed decoration 




and modifying the base B in {x :!”’’(!"ia — o!”=a),a; — o!"^o:),t/ : 

and the set of constraints A in {ri 4 + uq — ni — nr = 0;n5 — = 0}. 

Definition 5. A slice is a set of critical points, i.e. pairs (constraint, list of free 
variable occurrences) as in the following: 

sl= { , [yq , . . . , yi J), . . . , (A^'= , [y^, , . . . , y^ J) } 

A slice corresponds to a combination of critical points. 
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Notation. — sl{x) means that x is an element of every list of variables in 
sl{x). 

— X € si if and only if there exists one element of si whose list of variables 
contains x. 

— € si if and only if there exists one element of si whose constraint is AK 

— Being A^ the constraint ± • • • ± Uj^ = 0, A^ — n corresponds to the 
constraint ± • • • ± nj^. — n = 0. 



2S(B.T0,T) = (B,r,A) 



b0 



A. 4 Product Union: HU 



Bi r,cpts, 




= {B,A,Ai) 



Bi — ^Xi'A^Oi if Xi^sl Vxi'.Qi if XiCisiy , 
A 2 = (^A^ if A^ ^sl V A^ — n if 

^({xi:0i}i,r,{sl}Ucpts,A) — {B,A,Ai) 



0M 



IUJ0 



0 iu)X=x xmi)=x 

{si2j }ta){sil2 } = ^ 






A. 5 Type Synthesis: ff 



^(<7)^(0, A) 

{x:(t) — { 0 ,x:O,A,(^) 

((Ml M 2 ):T) — {r,B\H{x:0i,...,x:Oh},Ai,cpts\j{sli{x),...,slk{x)}) 
C{0u...,0h)=A2 

— sAx@ 

&^{Xx.{Mi M2):cr^r)^{0i^r,B,Ai-A2,cpts) 



Where h > 1. 



cpts—cptsiU{{n—Y2 rti—0,FVQ{Mi M2))} 

’3‘(a) = {0A2) 

M 2 ):T) = {\^"-ir,B,Ai,cptsi) 



if(\x.(Mi 




\''r,B, 



A\ 

A 2 



n>0 

rii—0 




sA@ 



Where B is not exponential 
and x does not occur free in 
the body of the abstraction. 



C(!^0l,...,!^0;^)=A2 



S^(Si ^r\^{sli{x)} iVJcpts ^A) — {B\S{x:0 \ . ,x:0/j }, 1^,711) 
{M:r) = {ri,Bi,A,{sli{x)}iUcpts) 

&"{Xx.M-.a^r)^{0i^r r,r B,Ai;A2;n>0,cpts) 
S?(<T)=<e,A3) 

2S(Bi,A.cpis,Ai) = <B,r,A 2 ) 

if {M:r) — {ri,Bi,Ai ,cpts) 

77> 

^(Afc.M:cr^T) = ( 0 — o!^i~’,!”'S,A 2 ;^ 3 ;n.> 0 ,cpts) 

S^(Bii±l!”'iB3,r'i,cptsilUlcpts2,Ai;A3;^4;ni>0) — 

^(!’"i03,0i)=A4 

(B 2 , 02 , CptS 2 ,A 2 ) — (- 63 , 03 ,^ 43 ) 

{N:{r) — {02,B2,A2,cpts2) 

{Xx.M:<T—fT) — {0i — oFi ,Si , Ai jCptsi) 

{{Xx.M N):t) — {\^ r,\‘^ B,A;n'>0,cptsi\}3cpts2) 



Where h > 1 and M is not an 
application. 



Where B is not exponential, M is not an 
application and x does not occur free in 
the body of the abstraction. 



s@A 



Where N is not an applica- 
tion. 
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ttl!”"! B 2 ,-Ti ,cpisi lUlcpts 3 ,Ai ; A 2 M 3 ;ni '>0) — {B,r,A) 
cpts^—cpts2Li{{A^,FW{{Ni A^2)))} 

°lA(!”i02.ei)=A3 

ifUNi N2)-.(T) = {02,B2,A2,cptS2) 

&'{\x.M:a^T) = {0i^ri,Bi,Ai,cptsi) 

— TT S@A@ 

J {{Xx.M (Ni N 2 ))'.t) — {\^ B ,A;n'>0,cptsiWcpts^) 

ttl!”"! B^ ,Bi ,cptsiV^cpts2 '^ij — OMi M3M4 ^'^i ^ 0 ) — 

^(!’"ie3,Oi)=A4 

( B2 , 02 , cpt S 2 M2 ) — {^3 1^3 Ms ) 

(N:(T) = {02,B2,A2,CptS2) 

— ^3 (Oi—ori),Bi,Ai,cptsi) 

7c 

^ {{x N):t) — {\^ r,\^ B ,A;n>0^cptsi\i3cpts2) 

ttl!”"! B2,Bi ,cptsi\^^cpts3 ,Y2 'f^ij — OMl M2M3^'^1 ^ 0 ) — (-^MM) 

cpts3—cpts2U{{A^,F'JD{{Ni A^2)))} 

^(!’"102,0i)-A3 

N2)-<y) — {02-,B2-,A2-,CptS2) 

&^{x:a—^r) — {\^ ^3 {^Qi—or\),B\,A\,cpts\) 

— s@a:@ 

^ {{x {N\ N2 ))'-t)=-{\^ r,\^ B ^A\n'>{),cptsi\^cpts3) 

ttl!”"! B3 Ml ,CpiS 3 lUlcpiS 2 ,Y2 —OMl M 3 M 4 ^'^i ^0^ — (SMM) 

°H(!”ie3,ei)=A4 

cpts 3 —cptsiU{{'^ Tii— 0 ,FVQ((Mi M 2 )))} 

'3^{B2-,02iCptS2 M 2 ) — {^3 7 03 7^3) 

(A^:(t) — (02, -62,2^2, cpis2) 

if ((Ml M 2 ):cr->-r) = (!^"*J (01 ^ A ) .B, ,cptsi ) 

— s@@ 

J {{Ml M2) N):t) — {\'^ r,\^ B ,A‘,n>0^cpts3\i3cpts2) 
l±l!^l B2,Bi ,CptS3\}iicptS4,Y2 ffij —OMl M2M3^'^1 ^0^ = (S,M-^) 

cptS4 = cptS2yJ{(A\,¥'!0((Ni Af 2 )))} 

°H(!"ie2.0i)=A3 

cj?is3— cpisiU{(X] ii’i— 0,FV0((Mi M 2 )))} 

^{{N\ N2)'-<y) — {02-,B2-,A2-,CptS2) 

if ((Ml M2):cr->-r) = (!^"*J (0i^ri),Bi,Ai,cptsi) 

— s@@@ 

j {{Ml M2) {Ni N2 ))‘-t) — {\^ r,\'^ B iA\n'>0^cpts3^cpts4) 



Where N is not an 
application. 



Where N is not an 
application. 



A. 6 Type Synthesis Algorithm: if 

if simply forgets the set of critical points and eventually contracts common 
variables in the base. 

if (M:a—(0,B,A,cpts) 
if(M-.a) = (0,B,A) 

If all variables in B are distinct. Otherwise 

C(!" 0 i^,....!" 0 fc^)=Ah ... C(!" 0 ii,...,!'* 0 fcJ=. 4 i 

ft(M:o-) = (0,{a:i:0ij ,...,a;i:0fcj Xh-0i ■■ ■,Xh-0kiJ\, A, cpts) 

if (M:cr) = ^!”0,{a;i:!”0ij ,...,a;fe :!”0i^ } ,A;.4i ;...;Ah;n>o) 




Ramified Recurrence with Dependent Types 



Norman Danner* 

Department of Mathematics, University of California, Los Angeles 
ndannerSmember . ams . org 



Abstract. We present a version of Godel’s system T in which the types 
are ramified in the style of Leivant and a system of dependent typing 
is introduced. The dependent typing allows the definition of recursively 
defined types, where the recursion is controlled by ramification; these 
recursively defined types in turn allow the definition of functions by re- 
peated iteration. We then analyze a subsystem of the full system and 
show that it defines exactly the primitive recursive functions. This re- 
sult supports the view that when data use is regulated (for example, by 
ramification), standard function constructions are intimately connected 
with standard type-theoretic constructions. 



1 Introduction 

Recently there has been a great deal of interest in characterizing function classes 
such as polynomial time with definitions that make no explicit mention of re- 
sources or bounds. This general area of study is referred to as implicit computa- 
tional complexity. One of the field’s major tools is the notion of safe, or ramified 
recurrence. The general idea is to use standard notions of definition by recur- 
rence (such as primitive recursion) but to classify the arguments into different 
types. For example, in safe recurrence, function arguments are classified as ei- 
ther normal or safe. One thinks of the former as being arguments that have been 
predicatively defined; intuitively, one can use g{x) in a normal position only if g 
has been completely defined as a function. The safe arguments are available for 
impredicatively defined data. In particular, when f{x,y) is defined by a recur- 
sion f{x,0) = g{x) and f{x,y-\- 1) = g{x,y,f{x,y)), we have not completely 
defined / before using its output as an argument to g. Thus, this argument of g 
takes impredicatively defined data, and must therefore be safe. 

This view has proven to be very fruitful. Bellantoni and Cook jS| charac- 
terize the polynomial-time computable functions using safe recursion with no 
ad-hoc initial functions such as the smash function {{x,y) i— >■ and with- 

out any explicit bounds on definition by recursion. Leivant HH captures the 
same class using a more general ramification notion, for which functions com- 
putable in time are defined using ramification levels < k. Passing out of the 

* The author would like to thank Daniel Leivant and the referees for several hel- 
pful suggestions. The type derivations are typeset with Makoto Tatsuta’s proof . sty 
package, version 3.0. The author was partially supported by National Science Foun- 
dation grant number DMS-9983726. 

S. Abramsky (Ed.): TLCA 2001, LNCS 2044, pp. OI- ITTO 2001. 

© Springer- Verlag Berlin Heidelberg 2001 



92 



N. Danner 



realm of feasibility, Covino et al. |J| add a scheme of “constructive diagonaliza- 
tion” to define classes 7^ for a < Eq so that 1J„7^ is exactly the polynomial 
time computable functions and Ua<eo exactly the elementary-time com- 
putable functions. The author and Pollett add a safe minimization operator 
to Bellantoni-Cook’s safe recursion to capture the partial multifunctions com- 
putable in nondeterministic polynomial time (see Selman fl7| for details about 
this class). Bellantoni ^ uses a different safe minimization operator to capture 
the functions computable in polynomial time with oracles from the polynomial 
hierarchy. Finally, Leivant and Marion HH use ramification combined with pa- 
rameter substitution to characterize the polynomial-space computable functions. 

In all of these characterizations, the authors use only type-1 functions. How- 
ever, Bellantoni et al. combine higher types with a notion of linearity to define 
a system the type-1 fragment of which is polynomial time. Hofmann num uses 
notions of modal types and linear function spaces to obtain a similar result. The 
result we are most interested in here, though, is that of Leivant m, who extends 
the notion of ramification of to all finite types in order to define a ramified 
variant of Godel’s System T of functionals 0 definable by primitive recursion 
in all finite types. Whereas the type-1 fragment of System T captures the func- 
tions provably recursive in Peano Arithmetic, the functions of Leivant ’s system 
are exactly those computable in elementary timeQ The key idea in extending 
ramification to higher types is to understand it as specifying information about 
the use of data. In Leivant’s notation, a functional / of type ct —>■ cr is iterated 
by an object of type 17 (t; i.e., if g(0) = a and g{x -I- 1) = f{g{a)), then g is given 
the type fia — >■ a. 

As we have just discussed, when data use is carefully regulated in this way, we 
are unable to define very complex functions (from a classical point of view, where 
elementary-time functions are considered simple). However, this fact opens up 
a very interesting line of inquiry. Once one passes to higher types, it is nat- 
ural to ask about type-forming operations other than the function space type 
constructor. An obvious question is whether other standard constructions such 
as polymorphism and dependent types, when combined with (alternatively, re- 
stricted by) data ramification, can be used to define more complex functions. 
Specifically, two constructions predominate in the study of subrecursive hierar- 
chies: iteration and diagonalization (see Rose PI). Are there type constructors 
that correspond to these operations? In this paper, we consider iteration and 
show that it is intimately connected with dependent type formation. To do so, 
we add dependent types to Leivant’s ramified version of System T and show 
that this extension allows us to define functions by iteration. In a subsystem 
of the extension, definition by iteration may be repeated any finite number of 
times, and so the resulting system provides a type-theoretic characterization of 



^ It is also interesting to note that when recursion is restricted to object type in Sys- 
tem T, the resulting class is exactly the primitive recursive functions; the correspond- 
ing restriction in Leivant’s system (adapted to binary words) yields the polynomial- 
time computable functions. 
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the primitive recursive functions using one of the standard constructs of type 
theory. 

The plan of this paper is as follows. In the next section, we motivate the use 
of dependent types by considering the passage from the doubling function to ex- 
ponentiation in Leivant’s system. Sectional is given over to formally defining the 
type system AR and its subsystem AR[j; the latter is our concern in this paper. 
In Sections 0| and 0 we prove that the functions definable in ARq are exactly 
the primitive recursive functions. We close in Section 0 with some speculation 
about using polymorphism to implement diagonalization. 

2 Motivation: Why Dependent Types? 

We motivate our use of dependent types by considering the passage from the 
function dbl(x) =df 2x to exp(a::) =df 2^+^ = dbl^(2), where /°(y) = y and 
= /(/"(y)). As noted above, in Leivant’s system an argument used to 
iterate a function of type cr-^-cr is given type J7cr. As dbl is obtained by iterating 
the successor function, which is represented by a term of type Nat— >-Nat, we have 
that dbl is represented by a term dbl : l7Nat— >-Nat. Since only functions with the 
same input and output type may be iterated, the doubling function cannot be 
iterated to obtain exponentiation. In Leivant’s system, exp is instead obtained 
by iterating the double-application functional (/, x) i— >■ f{f{x)) starting with the 
successor; the corresponding term has type I2(Nat — >■ Nat) — )> Nat. 

Semantically we understand types of the form Qa to be interpreted as the 
natural numbers (although there are models in which this is false). Thus we 
refer to Nat or any type of the form fla as an object type. One can in fact define 
terms dbO : f2a — >■ a for any object type a to obtain terms dblj^o- : 12^ cr — >■ Sla, 
dbli 72 g. : 17^ tr — >■ 17^ cr, etc. Further, the definitions of the various terms dblg. are 
all the same modulo the different types. Thus it seems that if one had a term 
that, given the numeral n as an argument, could “construct” the term dblr^n^at) 
one could then define a term exp representing exponentiation such that exph = 

dblNat(dbl J 7 Nat (■ • ■ (dbl^2n-lp,jat2) ...)). 

Here the type(s) of dbl depend on the argument term; following Baren- 
dregt |3], this is the paradigm for dependent types. Thus we define a system 
of ramified recurrence with dependent types, the key feature of which is a re- 
cursor term R of type Y\x^.B. ]))[ — ?> B[x\. .B) — >• B[z^\. 

Typically, we use R to iterate a term that can be given a recursively constructed 
type of the form 17"+^ cr — 17" cr. For example, we may define the type construc- 
tor Q in this system so that for an appropriately typed numeral n, Qn = l7"Nat. 
Furthermore, we can define a term dbl : n.Q(sn) — >■ Qn reflecting the unifor- 

mity of the definition of the doubling term in the usual ramified setting. The 
reduction rules for R will be defined in such a way that if we define exp as i?2dbl, 
we will have that expn expands as indicated in the previous paragraph. 

We present the formalism AR following a style similar to jS] . Because of the 
dependence of types upon terms, we must first define a set of expressions, then 
provide inference rules for judging that a given expression is a kind, type, type 
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constructor, or term. Here, we stratify the types into kinds Tj for j > —1. The 
kind T_i consists of object types such as Nat and i7(Nat — >■ Nat); the intended 
interpretation of every element of T_i is the natural numbers. For j > 0, Tj^i 
contains Tj as an element and is closed under products indexed by types of Ti 
for * < jfl To is similar, but contains T_i as a subset. The kinds consist of the Tj 
and are closed under type-indexed products. This allows us to name functions on 
types (e.g., the type constructor Q mentioned above represents a map from T_i 
to T_i). In Barendregt’s notation, we are using elements of AP (dependent types) 
and Aw (functions at the type level). 



3 The Dependent Typing System 



As usual with systems of dependent types, since the types may depend on the 
terms, we first define a set of expressions, then give inference rules for assertions 
of the form T \- A: B where T is a context and A and B are expressions. We 
posit a set of variables Var and define the set of expressions as: 



X G Var|s G {□,r_i,To,ri,...}|Nat|I2A|]^a;^.H| 

z^\s-^\p-^\c^\Ra\Ra\>^x'^-E\EF 



The free variables of an expression A, fvA, is defined as usual, as is the sub- 
stitution of the term F for the variable x in A, A[F/x\. To reduce notation, 
if an expression such as A[x\ is mentioned during exposition, later occurrences 
of A\F] will mean A\F/x] unless otherwise noted; a similar convention will apply 
in derivations. The expression A^ B is shorthand for \\x^.B when x ^ B. 
We now define the inference rules. Throughout, s ranges over □, T_i, Tq, . . . . 
First we have two structural rules: 



FY- A:s 
F,x \ A\- x \ A 



Varintro 



FV- A:B TFC:s 

FfxfC'^A-.B^ 



Weak 



Next are the rules for assertions that a given expression names a kind or type: 



h Nat : T_i h T) : □ h Tj : Tj^i 
Fh A:s Fh A:T_i 
F\- f2A-.T_i F\- A-.To 
F \- A: s' F,w : A\~ B[w] : s 
T h ](([ x^.B[x] : s 

We allow the axiom h Tj ■ 'Ej+i only for j > 0. In the product formation rule, the 
pairs (s', s) may be (Tj,Tk) for 0 < j < k, {Tj, □) for any j, or (□, □). Now we 
have the rules for assertions that a given expression names a type constructor or 

^ This restriction allows for a reasonably straightforward set-theoretic semantics; be- 
cause of space, though, we do not pursue this topic here. 
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term0Our system has constants for predecessor and conditional at every object 
type, implementing the “flat recurrence” of m, as well as two recursors R and R, 
which we discuss more fully after defining the reduction rules (technically R is 
an iterator, but we will ignore this distinction). 

rh A:T_i rh A:T_i r\~ A:T_i 

rhz^:A rTvTXn rhp^-.A-^-A 

rh A:T_i 

rhc^-.A^A^A^A 

rh B-.s 

r \- Rb ■■ B ^ {B ^ B) ^ ^ B 

rhA:T_i r,w:A^B[w]:s 

r h Ryij;AbIx] ■ U.x^.B[x] -^Ylx^.B[s^x] B[x], -> Q{Y\x^.B[x\) B[z^\ 

r,w.A'rE[w\-.B[w\ B ^ Y\x^.B[x] : s r\-E:Y\x^.B E h F : A 
r\~ Xx^.E[x]:Ylx^.B[x] E^ EF: B[F/x] 

Finally, we allow a term to take any of its equivalent types: 

Eh E: A Eh A: Tj Eh B:Tj A = B 
Eh E:B 

where 

{Xx^.D)F = D[F/x] 

p'4(s^g) = q c^z^EF = E c'^{s^q)EF = F 
RbEFz^^ = E RBEF{s^^q) = F{RBEFq) 

RcEFz^^ = Ez^ RcEF{s^^q) = Rc{Xw^.Fw{E{s'^w)))Fq 

where C = \\x^ ■B[x\ for some A and B in the last line and the equations are 
extended to all expressions in the obvious way. While these equalities hold for 
all expressions, we are interested in them only as applied to type constructors 
and terms. 

We now turn our attention to the two recursors. R was discussed in Sec- 
tion |3 Its purpose is to allow the iteration of a term such as dbl, which can 
be given the type — >■ Q[m], where = l7"(Nat) and 

_ gr 2 T_i ^ times). The reduction rules are designed with 

this purpose in mind; they ensure that in the expansion of dbl mn, the inner- 
most dbl has type Q[sm] — >■ Q[m] and the outermost has type Q[sz] — Q[z]. How- 
ever, these very reduction rules prevent us from using R effectively to recursively 

® The phrases “kind,” “type constructor,” etc. have no formal meaning here. Typically 
though, if we are considering an assertion T h T : B, we call A a kind if B = □, a 
type if B = Tj for some j, a type constructor if there is (at least implicitly) an 
assertion Z\ h B : and a term if there is an assertion of A h B : Tj . Note that 

types are also type constructors under this reading. 
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build up types. For example, consider the type constructor Q just mentioned. 
An obvious approach would be to take Q =df i?(Ax^'^*.Nat)(Aa;^'^*u^-bt2'u)TO. 
We will need to assert that Q[sm] = f2{Q[m]); however, our reduction rules 
for R tell us that Q[sm] = .fI{N&i)){\xu.fIu)'m (although for a nu- 

meral TO, we do have that Q[fn] = 17™ (Nat), by applying several /3-reductions 
after the i?-reductions). Thus we introduce the second iterator R with corre- 
sponding reduction rules, which will let us define Q as i?(Nat)(Au^~^ .17 u)to. In 
fact, R ought to be a more symmetric version of R by taking its initial argu- 
ment of type B[z] and a function argument of type J([ x.B[x] — >■ i?[sa;]. Somewhat 
surprisingly, this poses non-trivial technical challenges related to the type of the 
recurrence argument. As we do not need the more symmetric version here, we 
sacrifice it for ease of exposition. 

If we view the equations as reduction rules, with the expressions on the left 
reducing to the expressions on the right, then any derivation of an assertion 
typing an expression on the left is canonically translated into a derivation of an 
assertion typing the expression on the right. If B and B are the correspond- 
ing derivations, we write B ^ B. To handle /3-reduction, we need the usual 
substitution lemma: 

Lemma 1. Suppose that B is a derivation of B,x: A, Z\[x] h B[x] : C[x] and 
B is a derivation of B \- F : A. Then there is a derivation denoted B[B/x] of 
r,A[F]^ B[F]:C[F]. 

Proof. Formally B* is defined by recursion on the height of B. The only cases 
of interest are when the last rule of B is one of the structural rules. If B ends 
with a variable introduction, B* is B. Otherwise, suppose that B ends with 
weakening and that the left premise of B is Bq. If the assumptions of the last 
line of Bq do not include x : A, then B* is Bq; otherwise, it is Bq, which is given 
inductively. 

We denote this typing system AR. Thus subsystem AR„ is obtained from AR 
by allowing Tj only for j < n and removing the axiom thus we 

have just the first n “levels” of types, and cannot refer to the top level as 
an object. AR^ is obtained from AR„ by allowing recursor rules only when 
s G {□, T_i, Tq, . . . , Tfc_i}. For the remainder of this paper, we will be primarily 
concerned with the system ARq. 

Although formally we cannot discuss types or terms independently of asser- 
tions, we shall often refer to, for example, a term E\uF~'^] : a. When we do so, 
we are implicitly claiming that there is a derivation oi F,u : T_i, Z\ h if : u. If no 
particular derivation is specified, then there is a straightforward one to which 
we are referring. 

4 Representing Primitive Recnrsion 

Throughout this section, u will denote a variable of type T_i (i.e., we assume 
u : T_i occurs in the context of any relevant assertion). Given a type A[u] : T_i 
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and initial type C : T_i, we want a term P such that, when appropriately typed, 
Pn = A[. . . A[C] . . .] (n times). The intended application is when A = flu, 
so that PtT = Thus, given C : T_i and A[u], define the term Pq =df 

.A[t]) : flT-i — >• T_i. By the reduction rules for R, we have that 
PqZ = C and P^{sq) = thus Pq builds up object types by “repeated 

application” of A. Furthermore, if the binding of C and A are derivable in ARq, 
the same is true of P^ . 

As we discussed in Section El if the output type of a representable function / 
is related in a suitably uniform manner to its input type and g is defined from / 
by iteration, then g can also be represented. The purpose of the present section 
is to formalize our earlier informal argument. First we define two notions of 
representability of a function / by a term F\ (open) representability captures 
the most straightforward notion, in which the input and output types of F are 
object types; uniform representability captures the uniform dependence of the 
output type on the input type necessary for / to be iterated. 

Definition 1. Fix any A : T_i. The A-numeral is s"^(. . and is typed 

in the obvious way. 

Definition 2. Let f be a unary numeric function. 

1. f is openly represented by the term F[u’^~'^] if there is B[u] : T_i such that 
F : B ^ u and for all n we have Fn^ = /(n) . 

2. f is represented by F if there is B[u] : T_i such that F : i?[Nat] — >• Nat and 

for all n we have = /(n) 

3. f is uniformly represented by F if there is B[u,m^"^~^] : T_i such that 

B[u,z] = u, F : .B[u,sm] — >■ B[u,m], and for all m and n we have 

Proposition 1. Let f be a unary function. 

1. f is openly represented by F[u’^~'^] iff f is represented by F[Nat]. 

2. Lf f is uniformly represented, then f is openly represented. 

Proof. 1. The forward direction is immediate. For the reverse direction, let LI 
be any derivation oi F \~ E \ A and let u be a variable not occurring in 77. 
Obtain E from 77 by weakening each leaf of 77 to add u : T_i as a premise, 
then replace Nat throughout with u. It is easy to verify that A is a derivation 
of u : r_i, 7”[u/Nat] h 7f [u/Nat] : A[u/Nat]. In particular, if 77 is a derivation 
of h F : 77[Nat] — >■ Nat, then if is a derivation of u : T_i h F[u] : B[u] — >■ u. 
2. If / is uniformly represented by F: ]))[ m^^“T77[sTO] — >-77 [to], then / is openly 
represented by Fz because B[z\ = u. 

Proposition 2. 

7. The constant zero and successor functions are represented in ARq. 
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2. The XRhI-representahle functions are closed under composition. 

Proof. (P) is immediate. We prove a special case of (EJ ; the general case is similar. 
Suppose that the functions f{x) and g{x) are openly represented in ARq by the 
terms F : B[u] ^ u and G : C[u] — >■ u, respectively. Define G* =df G[B/u\, then 
j^(G* 2 ;) ■ C[B/u] — >■ u clearly represents fog. 

We also note that the i?-reductions behave as expected when an i?-term is 
applied to a numeral: 

Lemma 2. For any terms E : n x^.B and F : n x^ .B[sx\ — >■ B[x\ and any n, 
we have 

..FfT^^{En^) ...)). 

Proof. We prove the lemma by induction on n for all terms E and E : 

REEz = Ez^ 

REE{sn) = R{Xw^.Fw{E{s"^w)))En 

= Fz^(FT^(. . . Efrn:'^ {(Xw^.Fw{E{s^w))) n^) . . . )) 

= Fz^(FT^(. . . EfT^^{En^{Eff^'^)) ...)). 

We now prove that the ARg-representable functions are closed under itera- 
tion. 

Proposition 3. Let f be a unary function. 

1. If f is openly represented in ARq, then f is uniformly represented in ARq. 
In particular, by Prop. \m f is openly represented iff it is uniformly repre- 
sented. 

2. If f is uniformly represented in ARq, then f is openly represented in ARq, 
where f'{0) = n and f'{x -I- 1) = f{f'{x)) for some fixed n. 

Proof. 1. Suppose that B[v\ : T_i and the function / is openly represented by 
the term : B[u] — > u. Fix a fresh variable m : fIT_i and consider the 
term E* =df E[P^m/u] : B[P^m]^ P^m. By the definition of P^ , we have 
that in fact F* : P^{sm) — >■ P^m. Furthermore, since only the types have 

changed, we also have that F ^ = /(n) , since Fn^ = f{n) . 

Finally, Cfz = Ru{Xt.B[t])z = u by definition of P^ . Thus 
uniformly represents /. 

2. Suppose that / is uniformly represented by F[u] : .B[u,sm] — )> 

B[u,m\. Define the term 
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By definition of uniform representability we have B[u, 2 \ = u, and therefore 
Fq[u] : n{Y[w.B[u,w]) — >■ u. We now apply Lemma |3 to conclude that Fq 
openly represents /': 



= [“’«!) . . . ) 

= /n«) 

= J^f 



Finally, we note that in each part, if the types and terms initially asserted are 
derivable in ARg, then so are all the types and terms involved in each step. Thus 
we conclude that the functions represented in ARg are closed under definition 
by iteration. 

Since primitive recursion is reducible to iteration (see Rose m), Proposi- 
tions 121 and 0 combine to prove: 

Theorem 1. All primitive recursive functions are representable in ARg. 

As an example, we show how to represent the stacking function stk(a;) in ARg, 
where stk(O) = 2 and sidc(a: -I- 1) = expfstkfa;)). As before, we assume that u 
is a type variable of kind T_i. We have already discussed one representation 
of the exponentiation function for which exp : l7(Nat — >■ Nat) — >■ Nat; the term 
Leivant defines in m can be easily adapted to this purpose. Applying Prop. UND 
we assume that u : T_i h exp : f2(u u) ^ u. Prop. 0Q gives us the uniform 
representation 

exp* =df Am^^-L(exp[Pf ^ 

Now we apply Prop. EI0 to obtain the open representation of stk : 



stk =df ^)(exp*) : 

Of course, this process can be repeated any finite number of times. Given 
that the iterate of any representable function can be represented, one wonders 
about defining a term for the iteration functional, formalizing this argument. 
This would allow us to pass out of primitive recursion by defining, for example, 
the Ackermann function. In Section El we analyze this idea further and give some 
indication why in fact we cannot do so in ARg. 



5 Upper Bound on Representable Functions 

To show that the functions representable in ARg are exactly the primitive re- 
cursive functions, we translate derivations into an extension of Godel’s system T 
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that we call T+. T+ is conservative over T in the sense that if i? is a T+-term, 
then it is already a T-term. We then notice that the translations of the deriva- 
tions for terms only use recurrence operators at object type, which implies that 
derivations of terms representing functions in ARg are mapped to functions de- 
finable in T using recurrence at object type, and hence the images are primitive 
recursive functions. Since the translation will respect reduction/normalization, 
we may conclude that any function representable in ARg is primitive recursive. 

The main point to keep in mind for this translation is the following. In ARg, 
the type constructors ultimately return elements of T_i. That is, if we consider 
a given type constructor as a function of numeric and type arguments that out- 
puts a type, then regardless of the input, the output is a type of kind T_i. This 
follows because no type of the form Y[x"^-To can be formed in ARg. Since the 
intended semantics of any element of T_i is the natural numbers, intuitively 
every type constructor is really a constant function. Thus we expand system T 
to include type constructor constants to which (derivations of) the type con- 
structors of ARg are mapped; the mapping of applications is translated in such 
a way as to implement this constant behavior. 

Formally, we modify the usual system T by replacing the usual recursors with 
the following two recursors for every finite type a: 

R(y ' ^ ^ ^ ^ ^ Nat — y (j 

Rfj (Nat — )■ fj ) — )■ (Nat — )■ fj — ^ <j ) — )■ Nat — )■ cr 

with the reductions 

REFz = E REF{sq) = F{REFq) 

REFz = Ez REF{sq) = R{Xw^‘^\Fw{E{sw)))Fq 

We call the recursors ^Nat and ^Nat object-type recursors. We also add constants 
p and c for predecessor and conditional with the corresponding reductions. Of 
course, all of these could be defined in the usual system T; by adding them we 
just simplify the details of the translation. It is well-known that if a function 
is definable in System T using only object-type recursors, then it is primitive 
recursive (see, for example, Feferman and Avigad | 2 |). 

To define the system T+, we will have two sorts of types. The N- types are 
the simple types over Nat. The U -types are defined as follows: 

— C/g is a U-type (f7g can be taken to be the set of N-types). 

— If p is an N-type and a and r are U- types, then p— >-r and cr— are U-types. 

The type constructors of T+ consist of Nat and constants for every U- 
type a ^ T. Finally, we define the terms of T+ to consist of the usual terms of 
system T; we have variables only for Wtypes a. Since the type constructors 
are not used in defining the terms of T+, any term of T+ is already a term of T. 
The reductions for T+ consist of the usual /3-reductions along with the R and 
R reductions given above. 
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Table 1. Translation of ARg-judgements for kinds and type constructors. 



77 

r h T_i : □ 


Nat 


77 

rh A:s 


Nat 


r, X : T-i h X : T_i 




r\- BA ■. T-i 




Bo Bi 

r\- A -.Tj r\-C:s 


Bq 


77 

r\- A-.T-i 


77' 


r,x:C\- A -.Tj 




r\- A -.To 




h Nat : T—i 


Nat 


1- T_1 : □ 


Nat 



TIo III 

r\- A -.So r,x ■. A\- B : Si n'l 



r ■■ Si 



n 

r\- A:D 

r h : • • • 






77o III 

r\-A:T-i r,w:A\-B-.a 

r h R]Jx^.b ■ ■ 



f 



(Nat— )— ^(Nat— ^ )^Nat— ^77^ 



Bo III 

r,w.A^E-.B Wx^.B-.a ^ 
r ^ \x^ .E -Wx^ .B 

Bo Bi 

r\-C:Yix^.B r\-F-.A 

r I- CF : B[F/x] 



Nat, Bq — f(j— ^Nat 

fr, TIq = T / Nat 



We now give the translation of ARg-derivations, writing II' for the translation 
of 77. In Table Q we give the translations of derivations for kinds and type 
constructors and note that 77' is always a type or type constructor. In Table 0 
we give the translations for derivations of terms, and note that 77' is always 
a term of the appropriate type. In the A-abstraction clause, we write 77i^g to 
denote the left immediate subderivation of 77i as given in the inference rules 
of Section El To save space we write, for example, R : ■ ■ ■ instead of the actual 
type of 77, which can be easily reconstructed from the derivation rules. We also 
write z| • • • as shorthand for the rules for the constants z, s, p, and c. 

The translation of the type equality rule in Table El is sufficient for ARg- 
derivations by the following lemma: 

Lemma 3. If in AR[] one can derive E \- A \Tj and A is a redex, then j = —1. 

Proof. This is proved by verifying that for each possible type of redex, a deriva- 
tion of r \- A : Tj must include a subderivation of F, Z\ h Tj : □ for some (pos- 
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Table 2 . Translations of ARo-judgements for terms. 



n 

r\- A: Tj 



r, X : A \- X : A 






X 



n' 



Uq III 

r\- E:A r\-C:s n'n 

r,x:C'^ E-. A 

n 

E \- A : T—i z| ■ ■ ■ 

Ehz\--- 

n 

r\- A: T_1 

r h Ra : • • • 



J7o El 

r\-A:T-i r,w:A\-B:T-i 



E b Rpix^.B • ■ ■ ■ 


111 


ilo Eli 

r,w:A\-E:B Ux^.B-.Tj 


.Eg[x/w] 


E\- Xx'^.E-.Ux'^-B 




Eo Bi 

r\-E:Yix^-B r\-E-.A 


E'gE[ 


E\- EE: B[E/x] 




Eg El E2 

r\- E:A r\- A-.T-i r\- B-.T-i 


A = B IIq 


r\- E-.B 



sibly empty) A. But in ARg, the only possible derivation of this latter form is 
for j = —1. 



Lemma 4. If II is an XRq- derivation of E \- A: Y\^i^ ' ' ' 
there are <j\, . . . , Om such that 



n' = 



Nat, 



>Nat •) 



m = 0 
m > 0 



In particular, if II is a derivation of E A \T-i, then II' = Nat. 



Proof. By induction on derivations of kinds and type constructors. In the case 
of A-abstraction, one must expand out the right subderivation and notice that 
its translation is of the appropriate form. 
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The following is the key proposition; its proof is a straightforward induction 
on the definition of the reduction relation. Recall that if 77 is a derivation of a 
typing of a redex, then 77 can be canonically converted to a derivation E typing 
the contractum, and we write 77 — >■ 77. 

Proposition 4. If U and E are XR^- derivations and II ^ E, then 77' — E' . 

Given that the standard typing of a numeral in ARq is translated to the 
standard system T numeral h, we conclude that if F[u^~'^]:A[u]^u represents the 
function / in AR(] and lip is the derivation typing F, then 77' is a system T term 
of type Nat — Nat also representing /. Furthermore, since recursor judgements 
in term derivations are translated to recursors only when the expression is of 
type T_i (and type constructors otherwise), all recursors in II p use only object- 
type recursion. We conclude that / must be primitive recursive. Combined with 
the work of the previous section in which we showed that all primitive recursive 
functions are representable in ARq, we have just proved our main result: 

Theorem 2. The functions representable in ARq are exactly the primitive re- 
cursive functions. 

Although space prevents us from giving a detailed example of the translation 
of the present section, we will briefly outline the result of applying it to the terms 
exp* and stk defined at the end of Section 2| Assume that the derivation typing 
the term exp is translated to the System T*-term e :Nat— >-Nat which represents 
exp in system T. Roughly speaking, any derivation consists of “derivation leaves” 
that assign a kind to a type, which are used as immediate subderivations in 
Variable Introduction, Weakening, and Recursor rules. Following these rules are 
the more usual typing rules for terms. In analyzing the derivation of exp*, all 
subderivations of types assign the kind T_i, and hence each is translated to 
the type Nat (Lemma E|). The typing derivation for exp*, then, is translated to 
the term e* =df : Nat — >■ Nat — >■ Nat. As m is not free in e, the extra 

argument is a dummy argument. The 7?-rule used in the derivation of stk requires 
an immediate subderivation that w : I2T_i h : T_i; this derivation is 

translated to Nat, and so the 77-rule is translated to 7?Nat- The derivation for stk 
itself is then translated to 77Nat(Ay^‘^*.s(sz))e* :Nat— >-Nat, which represents the 
function stF in System T. 



6 Polymorphism and Diagonalization 

To extend this formalism to a system that captures more than the primitive 
recursive functions, we would like to implement diagonalization. A standard 
way to do so is to define the iteration functional It(/)(a;) =df /^(2) and then 
iterate It: if fo(y) = y I and g(x) = It^(/o)(a;), then g diagonalizes across 
generating functions for primitive recursion and is itself not primitive recursive. 
Summarizing the argument that the functions representable in ARjj are closed 
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under iteration, we know that if / is openly represented by F[u] : B[u] — >■ u, then 
It(/) is openly represented by 

.2^'^ ^){Xm^^-KF[P^m]) : f2 u. 

So it seems that to genericize F[u] from an arbitrary but fixed term to a variable, 
we need to be able to change the value of the type variable u to m. In other 
words, it appears that some form of polymorphism is necessary. This ties in 
very neatly with our contention that the main function-definition procedures 
correspond neatly with standard type-theoretic constructions. 

Again using Barendregt’s approach in |3], the product rule is a general enough 
mechanism for handling dependent products and polymorphism — all that must 
be adjusted is the allowable pairs {s,s'). Reading polymorphism as “terms de- 
pending on a type,” one must allow product rules in which (s, s') = (0,Tj). 
However, this naive approach is for full polymorphism, which we certainly wish 
to avoid here. Instead, let us consider the following version of the product rule: 

F\~A:sa F,w : A\- B[w] : sb 
P h n x^-B[x] : s 

Our current formalism AR allows the product rule for triples (sa,sb,s) of the 
form (Pj , Pfe , Pfe ) for 0 < j < fc, (Tj , □ , □ ) , and (□,□,□). To allow for a controlled 
version of polymorphism in which impredicativity is disallowed, we now permit 
also triples of the form (Pfe,Pj, P^) for /c > j > 0 and (□,Pj,D). With such a 
rule, one can then define an iteration term 

A/n .i?n -/(Pf m)) : 



where Q = P^ . 

However, we still cannot iterate this term. Our recursor R is designed to 
handle the iteration of function(al)s with an input type that is “more complex” 
than the output type, and this term reverses the situation. This is actually more 
in line with the approach taken when adding dependent types to the unramified 
System P (see, for example, Avigad’s P, in which the recursor corresponding to 
our P has type P[z]->-J([ :>P[sa;]. —>■])([ also see Nelson and 

does not seem escapable. Intuitively, the iterate of a function must take “more 
complicated” inputs than the original function and thus the term representing 
the iterate is more complicated than the term representing the original function. 
However, as per our discussion of R in Section 0 defining a recursor that allows 
iteration of function(al) whose output type is more complicated than its input 
type poses non-trivial technical challenges. We hope to report on research in this 
direction in a future paper. 
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Abstract. In this paper we present a fully abstract game model for 
the pure lazy A-calculus, i.e. the lazy A-calculus without constants. In 
order to obtain this result we introduce a new category of games, the 
monotonic games, whose main characteristic consists in having an order 
relation on moves. 



1 Introduction 

The aim of this paper is to present a fully abstract model, based on game seman- 
tics, for the lazy A-calculus. The A-calculus we consider is the untyped one, with 
a lazy, call-by-name, reduction strategy. The model we construct lies in the cate- 
gory of monotonic games introduced in this paper. This new category is derived 
from the one defined by Abramsky Jagadeesan and Malacaria in |A,IM94| . 

This paper is quite similar to the article |AlV195a] . It has the same aims 
and uses a similar model, but there is also an important difference: the lazy 
A-calculus considered in |AlV195a| contains a constant C that, in the operational 
semantics, is able to perform a sequential test for convergence. The introduction 
of the constant C is essential in order to obtain a full definability result and, as 
a consequence, the full abstraction of the model. Similarly in [AOh.Sj . through 
syntactic methods, it was obtained a fully abstract model for the lazy A-calculus 
extended with the constant C; while the problem of finding a fully abstract 
model for the pure lazy A-calculus was left open. 

In this paper we show that it is possible to have a fully abstract model for 
the pure lazy A-calculus without constants. In order to obtain this result, we 
need to introduce a new category of games that we call monotonic games and 
indicate with Qm- The category Qm differs from the more standard category 
of AJM-games Q in several aspects. In Qm^ moves are questions or answers 
and are ordered according to a notion of strength. Intuitively, a question a is 
stronger than a question b if it asks for more information. This means that if 
question a can receive an answer, then also b can receive an answer, or, from 
another point of view, a requires more work than b to be fulfilled. Similarly, an 
answer is stronger than another if it gives more information. Using this notion of 
strength, we impose some new restrictions on the way that a play can evolve and 
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in the way that a strategy can behave. Intuitively, we ask that a play proceeds 
with stronger and stronger questions, and that a strategy preserves the strength 
order relation. By these restrictions, in our game A-model strategies are forced 
to behave as interpretations of A-terms, and hence we have a fully complete and 
fully abstract model. 

2 The Calculus 

We define here the language XI, together with its operational semantics. Lan- 
guage XI is a lazy A-calculus, its set of terms constructed from a set of variables 
Var(5 x) by the grammar: 



M ■.■=x\ MM I Xx.M 

The operational semantics is given by a big-step reduction relation, M IJ. TV, 
evaluating a term to a weak head normal form. The strategy of evaluation is 
lazy and call- by-name. 



Xx.M IJ. Xx.M 



M IJ. Xx.P P[N/x\ JJ. Q 
MNH.Q 

The above reduction strategy gives rise to a contextual pre-order (C;) on 
closed A-terms (7l°) defined by: 

MQiN (VC[ ] e . C[M] C[N] J|) 

We indicate with Ri; the equivalence relation induced by C/. 

The following properties will be used: 



— the lazy reduction strategy converges on any term M /3-equivalent to a A- 
abstraction; 

— the relation Ri; is a A/3-theory. 



The above properties follow immediately from the fact that there exist ade- 



quate models for the lazy A-calculus (see 






)• 



3 The Categories of Monotonic Games 

In this section, we define the two categories of games employed in this article. 
These two categories are closely related to the categories Q and K\{Q) presented 
in pOMM| . They are defined following similar patterns; essentially, they only 
differ with respect to the strength order relation on moves. We begin by giving 
the basic definitions. 
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As usual, we consider games between two participants: the Player and the 
Opponent. A play consists in an alternate sequence of moves, while each move 
consists in posing a question (g M'5) or giving an answer (g M^). Before 
giving the definition of games, we introduce the notation that will be used in 
the following. 

— We use the metavariables A, B, C to range on games, the metavariables 
s, t, r, q to range on plays and the metavariables o, 6, c to range on moves. 

— The empty sequence is denoted by e, concatenation of sequences is denoted 
by juxtaposition, the prefix relation between sequences is denoted by C. 

— Given a sequence s of moves in M and a subset M' of M, s \m' denotes the 
subsequence of s formed by elements contained in M' , and |s| denotes the 
length of s. 

— The function nl (nesting level) from plays to integers is defined as follows: 

nl(e) = 0 

nl(sa) = IsTmQ I - \sa\M^ I 

In a play questions and answers match like opened and closed parenthesis in 
an expression, the value nl(sa) gives the nested level of questions at which 
the move a lies in the sequence sa. Note that, in the above definition of 
nl(sa), the move a is “counted” only if it is an answer; as a consequence, 
the function nl has the same value on a question and on the corresponding 
answer. 



Definition 1. A game A is a tuple {Ma,\a,<a,Pa,^a) where 

— Ma is a set o/ moves, 

— A.4 : Ma — >■ {O, P} x {Q, A} is the labelling function: it tells us if a move is 
taken by the Opponent or by the Player, and if it is a Question or an Answer. 
We can decompose \a into : Ma — >■ {O, P} and A^'^ : Ma — >■ {Q, A} 
and put Xa = {^a^t^'a^)- denote by ~ the function which exchanges 
Player and Opponent, and Question and Answer i.e. O = P, P = O, Q = A 
and A = Q. We also denote with X'^^ the function defined by X^^(a) = 
X^^(a) and with A/i the function (A^^, A^'^). 

— {Ma X Ma) is a strict order relation on the set of moves. 

— Pa is the set of plays of the game A, that is a non-empty and prefix-closed 
subset of the set M® , where M® is the set of all sequences of moves which 
satisfy the following conditions: 

— s = as' A/i(a) = OQ, a play starts with a question made by the 
Opponent. 

— s = rabt Xa^{o) = X‘^^ {b). Player and Opponent alternate. 

— s = rt ^ nl{r) > (0), it is possible to play an answer only if there exists 
a pending question. 
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— s = qarbt V nl{qa) = nl{qarb) a b, a question is weaker than the 
corresponding answer, if an answer a is followed by a new question b, 
then b is stronger than a, and this condition recursively apply to nested 
moves. 

— PS A is an equivalence relation on Pa which satisfies the following properties: 

— s e => s = e 

— sa s' a' s s' 

— s s' A sa € Pa 3a' . sa psa s' a' 
sa ^A s' a' A sarb fa a s'a'r'b' 

((a b ^ a' b') A (6 a ^ b' a')) 

Definition 2 (Strategies). 

A strategy a in a game A is a non-empty set of plays of even length such 
that a U dom{a) is prefix- closed, where dom{a) = {t G Pa \ 3a . ta G cr}. 

A strategy can he seen as a set of rules which tells the Player which move to 
make after the last move by the Opponent. 

In this paper we shall consider strategies that are deterministic, history-free 
and monotone. A strategy is history-free if it depends only on the last move by 
the Opponent; it is monotone if, in some particular cases, it respects the partial 
order ^ (see bellow). 

Before giving the definition of monotone strategy, we need to introduce two 
new concepts: the set of derived questions and the set of derived answers. The 
intuitive idea is the following: if, in a play s, a question a of the Opponent is 
followed by a question b of the Player, one can consider b an effect of question a, 
since in order to answer to a, the Player needs to know the answer to b. Moreover, 
if after receiving an answer c to 6 the Player asks a second question b', this 
means that the information given by c was not sufficient and new information is 
required; that is, also b' can be considered a direct consequence of a. The above 
argument can be repeated until a receives an answer, in this way defining the set 
of the derived questions of question a. Formally, the set of the derived questions 
of a question a in a play s is defined by: 

drv(s, a) = {b I b € , s = s'arbs", nl(r) = 0, Vr' C r . nl{r') > 0} 

Similarly, one can associate to an answer a the set of answers generated thanks 
to the information given by a, and define the set of the derived answers of an 
answer a in play s 

drv(s,a) = {5 | 6 G s = s'arbs" , nl(r) = 0, Vr' C r . nl{r) < 0} 

The function drv can be extended to strategies. Given a strategy cr and an 
Opponent move a, the set of moves derived from a in strategy cr is defined by: 

drv(a, a) = [J drv(s, a) 

sG(7 
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Definition 3 (Deterministic, history- free and monotone strategies). 

A strategy a for a game A is deterministie if: 

sb,scGcr b = c 

The strategy a is history-free if: 

sab, t G a A ta G Pa tab G a 
The strategy a is monotone if: 

s G a A sa G Pa A a' a A drv{a, a') 7 ^ 0 

=> 35. (sab G (J A V5' G drv(a, a') . b' 5) 

In the following we implicitly assume strategies to be deterministic, history 
free and monotone. 

The condition of monotonicity requires that if a strategy a reacts to a ques- 
tion a with another question 5 (or to an answer a with an answer 5), then cr needs 
to react to any move stronger than a with a move that is stronger than 5 (and 
stronger that any other moves derived from a). The notion of derived moves is 
essential in order to assure that the composition of two monotonic strategies is 
a monotonic strategies. 

The condition of monotonicity is quite strong. In particular, there are “few” 
finite monotone strategies: in general, a monotone strategy cannot be approxi- 
mated by a chain of finite and monotone strategies. This shortage of finite strate- 
gies is necessary in order to have a full definability result. In game semantics 
the interpretation of a solvable A-term is always an infinite object. In [KNOflfll 
IKN()9fl| the semantic interpretations of A-terms are characterised as almost ev- 
erywhere copy-cat strategies. On the game A-models we are going to construct, 
the condition of monotonicity essentially forces the behaviour of strategies to be 
almost everywhere copy-cat strategies. 

The equivalence relation on plays ~ generates a relation C and a partial 
equivalence relation Ri on strategies in the following way. 

Definition 4 (Order-enrichment). Given strategies a and t we write cr C r 

tff 

sab G a A s' G t A sa~ s' a' => 35'.(s'a'5' G t A sab fv s'a'b') 

The relation Ri on strategies is the reflexive closure of the relation C 

It is easy to check that rs is a partial equivalence relation. It is not an equiv- 
alence since it might lack reflexivity. If cr is a strategy for a game A such that 
cr Ri cr, we write a : A. It is also immediate that C defines a partial order on 
the equivalence classes of strategies. 

Definition 5 (Tensor product). 

Given games A and B the tensor product A ® B is the game defined as 
follows: 
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- Ma0b = Ma + Mb; 

- ^A^B = [Aa,Ab]; 

<A0B = u ^b; 

- Pa^b C is the set of plays, s, satisfying the projection condition: 

s \ma^ Pa and s \mb^ Pb (the projections on each component are plays for 
the games A and B respectively) ; 

- s s' iff S s' tA As ts~-B s' ts A VL(Si S Ma s' S Ma). 

Here + denotes disjoint union of sets, that is A + B = {ini (a) | a G A} U 
{inr{b) I b G B}, and ] is the usual (unique) decomposition of a function 
defined on disjoint unions. 

One should notice that, differently from the standard definition of |A.I Mh4j . 
it is not necessarily to impose the Stack discipline, which says that in a play every 
answer must be in the same component game as the corresponding question. The 
stack discipline is forced by monotonicity condition on plays, in fact a question a 
and the corresponding answer b have the same nested level, therefore a -<a®b b, 
and by the definition of <a®b, a and b lie in the same component. It is also 
useful to observe that if sab G Pa®b, and a, b are in different components then 
= X^^{b). As a consequence, in a product game, only the Opponent can 
switch component, and this can happen only by reacting to a question of the 
Player with another question, or by giving an answer in the correct component. 

Definition 6 (Unit). The unit element for the tensor product is given by the 
empty game I = (0, 0, 0, {e}, {(e, e)}). 

Definition 7 (Linear implication). Given games A and B the compound 
game A —o B is defined as follows: 

- Ma^b = Ma + Mb 

- Xa-ob = [Aa,Ab] 

<A0B = ^.4 0 ^B 

- Pa^b O M®^g is the set of plays, s, which satisfy the Projection condition: 
s \ma^ Pa and s \mb^ Pb 

- s ^A^B s' iff s (a~a s' U As \b^b s' (b AVj . {si G Ma s' G Ma) 

By repeating the arguments used for the tensor product, it is not difficult to 
see that in a “linear implication game” only the Player can switch component, 
and this can happen only by reacting to question of the Opponent with another 
question, or by giving an answer in the correct component. 

Definition 8 (Exponential). Given a game A the game I A is defined as fol- 
lows: 

- M\a = N X Ma = J2ienMA 

- AiA((i,a)) = Aa(o) 

- (i,a) ^!A (j,b) iffi=j and a ~<a b 
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— P\A C M,® is the set of plays, s, which satisfy the conditions: 

Vi G N.sUiG PAi 

— s s' iff there exists a permutation of a onN such that: 

- 7tJ(s) = a*(7rt(s')) 

- VzGN.(^2*(s' raW)~7T2*(srO) 

where a* denotes the pointwise extension of the function a to sequence of 

naturals, tti and tt 2 are the projections o/N x and s is an abbreviation 

ofs\Ai- 

Definition 9 (The category of games Gm)- 

The category Gm has as objects games and as morphisms, between games 
A and B, the equivalence classes, w.r.t. the relation ^a^b, of deterministic, 
history-free and monotone strategies a : A —o B. We denote the equivalence 
class of a by [a]. 

The identity for each game A is given by the ( equivalence class ) of the copy- 
cat strategy, recursively defined as follows, 

idA = {sa'a" G Pa^a I s G idA, {a^ o,''} = {inifa), inr(a)}} U {e} 

Composition is given by the extension to equivalence classes of the following 
composition of strategies. Given strategies a \ A —o B and t \ B —o C , t o a : 
A —o C is defined by 

T o a = {s I s S (Ma + AIb + Me)* & s or, s 

where with denote the set of plays in S having even length. 

The correctness of the above definition follows, in part, from the correctness 
of the definition of AJM-games. In addition we need to prove that: 

— idA is a monotone strategy, 

— the composition of two monotone strategies is again a monotone strategy. 

The monotonicity of idA follows immediately from the fact that for every pair 
of moves a G M^, b G Ma, drv(id^, ini(a)) = {inj.(o)} and drv(idyi, inr(&)) = 
{in/ (6)}. The preservation of monotonicity by strategy composition follows easily 
from the fact that for every pair of strategies a : A ^ B and t : B ^ C 
and for every pair of moves a G and c G , if a G drv(r o cr, c) then 
there exists a chain 6i, . . . 62n-i-i such that b\ G drv(r, c), a G drv(cr, 52n-i-i)) 
Vz]m|0 . . . n} . &2i G drv(cr, 62^-1), &2i-i-i G drv(r, 62*)- 

The constructions introduced in Definitions E \n and 0 can be made to be 
functorial. 

Definition 10. Given two strategies a \ A —o B and a' \ A' —o B' the strategies 
cr®cr' : {A® A') -o {B®B'), a ^ cr' : {A ^ A') ^ {B ^ B'), !cr :!A ^ \B 
are recursively defined as follows: 

a®a' = {sab G P(a^a') ^ (b®b') 

I s€cr®a', sa6 (maUMsG cr, so6 G cr'} U |e} 
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cr ^ cr' = {sab e P(A^A') {B-oB') 

I s e cr ^ cr', sab\MAUMB^ sa&tM^/UMs/S cr'}u{e} 

!tJ = {s G P\A^\B I Vt . S Tma^UMb^ ^ 

It is not difficult to check that the above definitions are correct and that 0 
and / indeed provide a categorical tensor product and its unit. 

The category Qm is monoidal closed, but not Cartesian closed. Analogously 
to what happens in AJM-games, a Cartesian closed category of games can be 
obtained by taking the co-Kleisli category K\{0Ai) over the co-monad (!,der,(5), 
where for each game A the strategies der^ : lA —o A and : !A ^ !!A are 
defined as follows: 



- der^ = [{s G P.a^A \ s |'(!A)o= « U}] 

- 6a = [{s G P.A^ \\A I S S r(!(!A)i),}] where p:NxN-)>Nisa 

pairing function 

Hence one can easily see that the following definitions are well posed. 

Definition 11 (A Cartesian closed category of games). 

The category K\{Qaa) has as objects games and as morphisms between games 
A and B the equivalence classes of history -free strategies in the game lA — o B. 

In order to give semantics to the lazy A-calculus, it is necessary to define the 
lifting constructor. 

Definition 12 (Lifting). 

Given a game A, the lifted game A±_ is defined as follows: 

^ Maj^ = Ma + {o,»} 

- Aaj^ = [Aa, {o — >■ 0<3, • HA}] 

<Aj_ = u{(6, a) I a G M, 6 G {o, •}} U {(o, •)} 

- Paa_ = {e, oj U {o*s I s G Pa} 

- s f«A_L s' iff s = s' or 

s = o»t and s' = o»t' and t r^a t' 

Note that the above definition cannot be made functorial, at least not in a 
standard way. Given a strategy cr : A — >■ B, strategy crj : Aj — B i is usually 
defined (IM) by: 

= {oao_b*b*as| s G cr} U {e,OAOs} 

In the category Qa4 , with the above definition, ctj_ is not necessarily a monotone 
strategy. In fact, the initial behaviour of crj_ (oaob*b*a G cr±) imposes condi- 
tions on the future behaviour of the strategy that are not necessarily satisfied. 

However, given any game A having a single initial move a, it is possible to 
define two strategies: up^ : A — o A± and driA : A± ^ A as follows: 



UPA = {oAj_*Aj_s| s G idA] U {e| 
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driA = e P\(^a^^a \ as G id^} U {e,aoAj^} 

It is not difficult to prove that the above strategies are well defined and that 
dn^ o up^ Ri idA- 

In order to define a model for the lazy A calculus, the functoriality of the 
lifting constructor is not necessary, the existence of the strategies, dn^ and up a 
suffices. 

4 Solution of Recursive Game Equations 

The categories of games Qm and K\{Qm) allow for the existence of recursive 
objects, i.e. objects that are fixed points of game constructors. We present the 
method proposed by Abramsky and McCusker f [IA Mhhhj i for defining recursive 
games. This method allows to define initial fixed points for a large set of functors 
and it follows the pattern used for building initial fixed points in the context of 
information systems. First a complete partial order < on games is introduced. 

Definition 13. Let A, B be games, A is a sub-game of B (A < B ) if 

— Ma C Mb; 

— Xa = \ma; 

<A = -<b\ma; 

— Pa = Pb^ M®; 

— s PS A s' iff s PS B s' and s G Pa- 

One can easily see that the sub-game relation defines a complete partial order 
on games. Hence a game constructor F which is continuous with respect to < 
has a (minimal) fixed point D = F{D) given by UraeN^"(-^)- Notice that we 
have indeed an identity between D and F{D) and that we do not need the game 
constructor F to be a functor; as a result we can also apply this method to the 
lifting game constructor. 

One can easily see that the game constructors —o, !, ( )j_ and their com- 
positions are continuous with respect to <; therefore, the method applies to 
them. 

5 Lazy A-Models in K\{Qa/C} 

A standard way to construct a model for the lazy A-calculus consists in taking the 
initial fixed-point of the functor F{D) = (D -)> D)b !A093j . |AM95aj . pPR98j . 
iEHR92j . Here we use the same technique. We denote with D the least fixed- 
point of the game constructor: F{A) = (A — >• A)j_ = (!A ^ A)j_ in the category 
of monotonic games { D = [_}F'^{I) ). We denote with ip :\D ^ {\D D) 
the morphism dni£)_<,£i o deru and with ip ■,\{\D ^ D) ^ D the morphism 
oderio^u. 

The morphisms ip and ip define a retraction between D and \D —o D such 
that Ip o L rfiB L, where with T we indicate the smallest strategy {e}. It follows 
that the tuple D = {D, ip, ip) defines a categorical model of the lazy A-calculus. 
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Definition 14. The interpretation of a X-term M (whose free variables are 
among the list T = {xi , . . . , x„}) in the model D = {D, Lp, 'if) is strategy |M]r : 

/ ^ ^ 

{\D 0 • • • 0 \D) — >■ D defined inductively as follows: 

Ix^jr = Trf ; 

lMNjr = evo{{polMjr) , [iVlr); 

IXx.Mjr = tpoA{ lMjr,x); 

where tt[ are the canonical projection morphisms, ev and A denote “evaluation” 
and “abstraction” in the Cartesian closed category K\{Qm)- 

It is useful to give some intuitive explanations concerning the plays in the 
game A-model D. In game D the Opponent can be identified with the environ- 
ment, while the Player can be identified with a program (A-term) interrogated 
by the Opponent. A possible play s in game D proceeds as follows: the initial 
move of s is a request of the Opponent to know if the Player is a A-abstraction; 
the Player fails to reply if it is a strongly unsolvable term, otherwise it answers 
(positively) to the question. After that, the play proceeds by a consecutive ques- 
tion of the Opponent asking if there is another A-abstraction inside the first 
A-abstraction. Again the Player may fail to answer, if it is an unsolvable term 
of order 1, or it may answer, if it contains two A-abstractions. This time how- 
ever, the Player can also pose a question to the Opponent; this happens if the 
Player is in the form Xx . xMi . . . M^- In this case, the Player contains a second 
A-abstraction depending on value (behaviour) of x (the first argument passed 
by the Opponent). In particular, in the above case, the Player needs to check 
whether x contains m -I- 1 A-abstractions. In reaction to the questions of the 
Player, on the argument x, the Opponent can reply by posing questions on the 
arguments passed to x; in this case, the Player will answer according to the 
terms M^. The plays can proceed with questions and answer in an arbitrary 
nested level, with the Opponent asking information on the deeper structure of 
the Player. 

The order relation ^ d models the fact that consecutive questions, at the same 
nested level, ask for more and more A-abstractions. The condition of monotonic- 
ity on plays models the fact that the questions posed by of a A-term (Player) at 
nested level 1 always concern the argument appearing as head variable. 

More formally, we present a set of results describing the theory induced by 
the game A-model D. Since D is a A model and since the interpretation of a 
A-abstraction is never equivalent to strategy T, one immediately has: 

Proposition 1. For any pair of closed X-terms M, N, if M N then |M] 

The proof of adequacy need to be more complex. In general sophisticated 
proof techniques, such as the computability method, the invariants relations or 
the approximation theorem, are needed to prove the adequacy of a model. In 
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this case we can use a previous result concerning the games semantics of the 
untyped A-calculus. In this way we are also able to characterize precisely the 
theory induced by D. 

In |D(11*0()| . a complete characterisation of the theories induced by game 
models in the category Q of games and history free strategies has been car- 
ried out. In particular it has been shown that every categorical game model 
{AjipAf'tpA), such that o _L yf _L, induces the theory £T- In theory £ T two 
terms are identified if and only if they have the same Levy-Longo tree 
ll^onbdj . We briefly recall the definitions. 

Definition 15. Let S = {Aa;i . . . x^.-L | n G N} ■ ■ - ^n-U \ n € N}, 

with xi, . . . ,Xn,y & Var 

Levy-Longo tree associated to X-term M , LLT{M), is a E-labelled infinitary 
tree defined informally as follows: 

- LLT{M) = T if M is unsolvable of order oo, that is for each natural 
numbers n there exists a X-term Axi . . .Xn-M' f-equivalent to M. 

- LLT{M) = Axi . . . x„._L if M is unsolvable of order n 

- LLT{M) = Axi . . . Xn-y 

/ \ 

LLT{Mi) . . . LLT{Mm) 

if M is solvable and has principal head normal form Axi . . . x„.yMi . . . Mm- 

The arguments used in !D(IF00| can be straightforwardly applied also to cat- 
egory Gm- In particular, through an application of the Approximation Theorem 
it is possible to derive that: 

Proposition 2. For any pair of closed X-terms M, N, if LLT{M) IJ. LLT{N) 
then |M] |A^] . 

Proposition 3 (Adequacy and Soundness). For any pair of closed X-terms 
M, N: 

— if |M] T then M JJ.; 

- if\M} £z 3 [A] thenMQiN. 

Proof. By Proposition 13 if a A-term M is such that |M] T, then M is 
not strongly unsolvable, and the lazy reduction strategy converges on M (see 
Section H). The second point is readily proved observing that denotational 
semantics is compositional and monotonic, therefore for every closed context 
C[ ], if {M\ C z>lAl, then [C[M]] C d[[IV]] and therefore C[M] C[N] J|. 

□ 



5.1 Extensional Collapse 

Theory £T is strictly weaker than theory Xp, for example, the terms Xx.xx and 
Xx.x(Xy.xy) have different Levy-Longo trees but they are equated in A;. In order 
to obtain a fully abstract model, we need to interpret A-terms in the category 
defined as an extensional collapse of category Qm- We need to use the 
Sierpinski game, that is the game I±. 
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Definition 16 (Intrinsic pre-order). Give a game A, the intrinsic pre-order 
:<A on the strategies for A is defined by: 

O'! <72 iff \/t : A —o Ij_ . T o ai ^ I o a 2 

In the above expression we implicitly coerce the strategies in A into I —o A. 

We indicate with the. partial equivalence relation induced by <a- 
The category £m has as objects games and as morphism equivalence classes 
w.r.t. ~ of strategies. 

It is not difficult to verify that intrinsic pre-order is preserved by all the 
categorical constructions presented above. Therefore, the category £m can be 
used in modeling the A-calculus. In particular, the game A-model D with the 
interpretation of Definition m gives rise to a A-model also inside the category 
£m- 

6 Full-Abstraction 

As usual, the proof of full-abstraction splits in two proofs. 

Theorem 1 (Soundness). For any pair of closed X-terms M , N , we have: 

iMj <D lA^l ^ MQiN 

Proof. It is immediate to check that the only strategy ~D-equivalent to _L 
is strategy _L itself. It follows that model D is adequate also in category £m ■ By 
the compositionality of the interpretation, soundness follows immediately. □ 

In order to prove completeness, some preliminary results need to be pre- 
sented. 

Proposition 4. The following properties hold in the game X-model D: 

(i) Every question has one only possible answer and every answer has one only 
possible consecutive question. Formally, for every pair of plays sab, tab' G Pp 
if X^^{b) = A^'^(5') = A^"^(o) then b = b' . 

(ii) For every move a G Mjy, the set of predecessors of a, w.r.t. the order < d , 
is a finite and linearly ordered set. 

(iii) With respect to the order <o, every question move has one successor, the 
corresponding answer; while every answer move a has infinitely many imme- 
diate successors which are the consecutive question at the same nested level, 
and an infinite number of questions at the next nested level (these questions 
are the initial moves of a subcomponent \D of game D). 

(iv) For every strategy a : D and for every move a G Md the set drv{a, a) is 
linearly order w.r.t. -<d 



Proof. The first three points can be proved by induction on the chain of games 
F''{I). Point (iv) follows from point (i). □ 
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Lemma 1. Any strategy a : D ^ I± can be extended to a strategy ao '■ D ^ D 
such that for any strategy a : D, o : • € ao a if and only if o : • G an ° cr 

Proof. Since game D ^ I± is a sub-game of game D ^ D, it is sufficient to 
extend a to a monotone strategy on game D ^ D, which can be done incre- 
mentally. Let « 0 ) ■ • ■ 5 cTn, • • ■ be an infinite chain of strategies constructed in the 
following way: 

00 = 0: 

Oi+i = aiU {sab G Pd^d | s G «i, sa G Pd^d, 

Ua'GMO.a'^adrv(o„a') ^ 0, 

b minimal upper bound in of Ua' GMO.a'^adrv(o;i,a')}. 

In the above definition the choice of the element b is not necessarily unique. 
In some cases the minimal upper bounds of Ua'GMO a'^a ^0 can form a 
countable set: the initial questions or answers in the some subcomponent \D of 
game D. In these cases, almost any possible choice gives rise to an equivalent 
(w.r.t. «_d) strategy; some care have to be taken when the move a is itself an 
initial question or answer in some other subcomponent \D of game D, in which 
case it is sufficient to choose for b the same index as for the move a. 

Strategy «£> is finally defined as an = UnGiv 

It is interesting to observe that if one performs the above construction start- 
ing from strategy a = {e, oo, oo**}, one obtains a strategy ajj idr). 

Proposition 5 (Definability). For any play s in game D such that nl{s) = 0, 
there exists a closed X-term M such that s G |M] and |M] g a for any strategy 
a with s € a. 

To the above proposition, we just give an informal and intuitive proof. A 
formal proof will require the introduction of several new concepts and will be 
more difficult to grasp. 

We will associate to play s a Levy-Longo tree or equivalently a A-term that 
represents a Levy-Longo tree. In order to do that, we decompose play s in several 
levels, each level determining a node of the Levy-Longo tree. 

We need to introduce some notation. Given a play t and an interval / of 
natural numbers, we denote with t the subsequence of t formed by the moves 
whose nested level is a value in the interval I. 

Sequence s ([oq] is a play contained in strategy a. In fact, sequence s ([q,!] de- 
scribes the behaviour of strategy cr on the hypothesis that the Opponent answers 
immediately to questions posed by the Player (without posing nested questions) . 
Since, in game D, the Opponent is always allowed to answer immediately to the 
questions of the Player, the sequence s f[oq] is a play. Since in s |■[op] the be- 
haviour of the Player, in reaction to the last move of the Opponent, is the same 
that in s, and since ct is a history free strategy, it follows that s ([o,!]^ a. 

Play s f[o,i] can be in one of the following forms: 

— the Player always answers to the questions of the Opponent 
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— the Player answers for n times to the questions of the Opponent, then at 
the n + 1 question q of the Opponent, the Player replays posing a question. 
In this case, the Player is in the position to make the second move in a 
game having form: ID ^ . {ID D) . . .) and it can choose to pose a 



question in one of the n instances of D staying on the left of an arrow. After 
that, the monotonicity condition on plays forces the Player to react to the 
answer of the Opponent by either posing a consecutive question in the same 
component either by giving an answer to question q. In all cases, after having 
posed m consecutive questions in the same component, the Player will answer 
to question q. The condition of monotonicity on strategies now forces play 
•s r[o,i] to proceed in only one possible way. At the consecutive question of 
the Opponent the Player needs to reply with a move that is stronger (w.r.t 
the ~<D order) to the last question posed by the Player (qp). This implies 
that the Player needs to pose the question consecutive to question qp. At 
the answer of the Opponent the Player, by the monotonicity condition on 
strategies, needs to reply with an answer (only one answer available). And 
the previous argument applies to all consecutive moves. 

In the first case above, play s has all moves at the nested level 0, and it is possible 
to check that: s £ |Axi . . . a;„.0] and that |Aa;i . . . x„.l7] C ct. On the second 
case, it is possible to check that: s ([o.ijG [Axi . . .Xn-Xj P . ^ 17J . Moreover, it is 

m 

possible to prove that |Axi . . .Xn-XiD . . . £ ct; this can be done proving, by 

induction on the length of plays, that the monotonicity condition forces strategy 
cr to behave in a copy-cat way. 

Sequence s f[ 2 ,oo] is a play in a game in the form \D -o\D . . . ^ {\D®. . . ®\D), 
where the instances of D, on the left of the ^ arrow, denote variables that can 
be interrogated by the Player, and the instances of D on the right of the ^ 
arrow denote the arguments of the head- variable. The first move in s |'[ 2 ,oo] is 
a question of the Opponent asking if one of the arguments of the head variable 
is a A-abstraction and s is a play in game \D -o\D . . . —o {\D ® . . . ®\D) 
defining the external structure of one argument of the head- variable. It follows 
that there exists a A-term P\ = \x\ . . . Xn-XiQ . . . {Xxji . . . Xjnj -XkD ... 17) ... 17 
such that s ([ 0 , 3 ] G |P] and |P] C a. 

The above analysis can be repeated for the consecutive levels of nested moves, 
each slice s r[ 2 i, 2 i-i-i] representing a play where the Opponent interrogates the 
Player in order to know the structure of some subterms of the Player. In this 
way play s determines a Levy-Longo tree approximation of strategy a at which 
s belongs. 

From the above propositions one can finally conclude: 

Theorem 2 (Completeness). For any pair of closed X-terms M , N , we have: 

MQiN ^ [Ml iNj 
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Proof. Suppose there exists a strategy a such that a o |M] _L, by Lemma 

1, there exists a minimal strategy ao such that od ° ^ -L- Let os* be the 

(initial) sequence of moves generated by in the interaction between the strategies 
ao and |M]. Play os* is contained in strategy ao '■ D ^ D, while play t = o*os* 
is contained in strategy up o q;d : D. Let P be the term defining the minimal 
strategy containing the play t. By a simple calculation it follows that |PM] ^ _L 
and the following chain of implications is immediate: |PM] yf _L PM ij- 
PfV ^ |P7V] _L ^ az, o |iV] _L ^ a o |iV] _L. □ 
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1 Introduction 

The A-calculus plays a key role in the foundations of logic and of programming 
language design, and in the implementation of logics and languages as well. The 
foundation of A-calculus itself is /3-conversion, which relates the primitive notions 
of abstraction and application in terms of substitution. Classical A-calculus 
treats substitution as an atomic operation, but in the presence of variable- 
binding substitution it is a complex operation to define and to implement. So 
a more careful analysis is required if one is to reason about the correctness of 
compilers, theorem provers, or proof-checkers. Furthermore the actual cost of 
performing substitution should be considered when reasoning about complexity 
of implementations. 

Abadi, Cardelli, Curien, and Levy [1] defined a calculus of explicit 
substitutions to serve as a more faithful model of implementations of the 
A-calculus. Since then a variety of explicit substitutions calculi have been 
defined. The original motivation for the Abadi-Cardelli-Curien-Levy calculus was 
pragmatic, but there is another point of view one may take on such a calculus, 
namely that making substitution explicit permits a more refined analysis of 
substitution than does classical A-calculus. As historical context we note that 
in their book [12] Curry and Feys insist on the importance of substitution 
in logic in general and especially in the framework of A-calculus. They write 
[page 6] that the synthetic theory of combinators “gives the ultimate analysis 
of substitutions in terms of a system of extreme simplicity. The theory of 
lambda-conversion is intermediate in character between synthetic theories and 
ordinary logics. Although its analysis is in some ways less profound — many of 
the complexities in regard to variables are still unanalyzed there — yet it is none 
the less significant; and it has the advantage of departing less radically from 
our intuition.” From this point of view one can see an explicit substitution 
calculus as an improvement on both the system of combinators and the classical 
A-calculus, since it is a system whose mechanics are first-order and as simple as 
those of combinatory logic yet which retains the same intensional character as 
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traditional A-calculus. In particular we may view explicit substitution calculi as 
primary and see the classical A-calculus as a subsystem of these systems, defined 
by a particular strategy of “eagerly” evaluating the substitution constructed by 
contracting a /3-redex. In this way the study of explicit substitutions represents 
a deeper examination of the relationship between abstraction and application. 
This setting invites the programme of refining the results of the classical A- 
calculus by finding proofs of their explicit-substitutions analogues in the explicit 
substitutions system itself. One can reasonably expect in this way to gain insight 
into the original A-calculus. As a case study, in this paper we present a systematic 
study of the relation between normalization and types. 

In many calculi of explicit substitutions, including the original Abadi, 
Cardelli, Curien, Levy system, substitutions are first-class citizens and there is an 
algebraic/computational structure on the substitutions themselves, reflecting the 
fact that composition is a natural operation on substitutions. Mellies [17] made 
the somewhat surprising discovery that the presence of substitution-composition 
leads to the failure of strong normalization even for simply- typed terms. This 
suggests that it is useful to analyze the effect of making substitution explicit 
independently of studying composition of substitutions. Composition-free calculi 
of explicit substitutions have been studied in [16,7,4] among others. 

Here we work in the composition-free calculus Ax (which uses names rather 
than de Bruijn indices) and the calculus Xxgc obtained by adding explicit 
garbage-collection to Ax. 



Summary of results 

Our main results concern the set of terms typable in various intersection-types 
disciplines. We show that in each of Ax and Axgc the terms which normalize by 
leftmost reduction and the terms which normalize by head reduction can each 
be characterized as the set of terms typable in a certain system. Our notions 
of leftmost- and head-reduction are non-deterministic, and our normalization 
theorems apply to any computations obeying these strategies. In this way we 
refine and strengthen these classical normalization theorems. See [18] where a 
similar issue is discussed. Surprisingly, the situation for the strongly normalizing 
terms diverges from the classical A-calculus. For the natural generalization of 
the classical type system we prove that typable terms are strongly normalizing. 
But the converse fails: see Section 7. 

In addition to their theoretical and methodological interest our results have 
consequences for the study of the implementation of functional programming 
languages. Recall that the theoretical foundation for the correctness of the 
standard evaluation strategy for functional languages is the classical theorem 
that leftmost reduction is normalizing (see for example [19] Prop. 2.4.12). 
When explicit substitutions are offered as a basis for an implementation one 
should define and analyze a corresponding notion of “leftmost” reduction. To 
our knowledge this analysis has not been previously done. The natural notion 
of leftmost reduction we define here is related to, but a refinement of, the 
classical notion; the non-determinism in leftmost reduction here corresponds 
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to a choice between certain standard implementation strategies ([5]). The proofs 
we present here readily yield the results that a term is (strong-, leftmost-, or 
head- ) normalizing iff it is so in the calculus extended by garbage-collection. Our 
results support the claim that garbage-collection is a very natural addition to the 
system, even from a purely theoretical point of view, since the resulting calculus 
has more convenient closure properties than the simple calculus (Lemma 2 is an 
example) . 

The intersection type systems we study are natural generalizations of the 
corresponding classical systems, and in fact the global structure of the proofs 
follow a standard paradigm (as in [3]). But the explicit reductions involving 
substitutions lead to combinatorial complications not arising in the traditional 
treatments and the proofs require some new techniques. The first result on strong 
normalization of calculi of explicit substitution was the so-called preservation of 
strong normalization: a pure (substitution-free) term is strongly normalizing 
under reduction in the presence of explicit substitutions if and only if it is 
strongly normalizing under /3-reduction. We stress that, in keeping with our aim 
of treating the explicit substitutions calculus as logically prior to the traditional 
A-calculus, we develop the machinery needed for direct proofs which do not 
depend on results from the theory of /3-reduction. 

This paper contains few proofs, but a full version with all the proofs is 
available at http://www.ens-lyon.fr/~plescann/publications.html 



2 Terms and reduction strategies 

In this section, we describe the terms of the calculus of explicit substitutions 
with explicit names Ax and specify strategies of reduction toward normal forms, 
namely Ax-reduction, head reduction, and leftmost reduction. 

Actually the same set of terms can be described in many different ways which 
we call taxonomies. 

Definition 1 (The basic taxonomy). The set of terms with explicit substitu- 
tions Ax is the set of terms M defined as follows: 

M,N X I Xx.M I MN I M{x = N) 

The set of free variables of a term is defined just as for classical X-calculus, 
with an additional clause ensuring that the free variables of M{x = N) are the 
same as the free variables of {Xx.M)N. In particular, x is bound in M{x = N). 
The set of free variables of a term M is written FV (M), sometimes for simplicity 
we write x G M instead of x G FV{M). 

We assume Barendregt’s [2] convention, namely that a variable does not occur 
free and bound in the same term. For instance, we assume that x does not occur 
free in N in the term M{x = N). The rules we define further assume this 
convention and the reader should keep this fact in mind when reading them and 
certain forthcoming lemmas. 
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To describe the second taxonomy nicely it will be very convenient to have 
a notation to describe a term M on which is applied a sequence of closures 
{z\ = S\), {zm = Sm) then a sequence of applications of terms Ti,..., Tn. 
Such a term M{zi = Si)...{zm = Sm)Ti...Tn will be abbreviated as M {z = S) T. 

Lemma 1 (The head form taxonomy). Every term is of precisely one of the 
following forms: 

Xx.B {Xy.B){x = A){z= S)T 

{Xx.B)ATi---Tr, with n>0 {UV){x = A){z= S)T 
xTi ■ ■ - Tn with n> 0 x{x = A) {z = S) T 

y{x = A){z= S)T with x^y 



Proof. Straightforward. /// 

Following Barendregt [2] we distinguish between a set of rules defining a 
notion of reduction and a reduction relation induced by closing a notion of 
reduction under certain contexts. Sometimes the latter are called strategies and 
play a main role in evaluation of functional programming languages [5]. Some 
reductions are deterministic, which means that the structural rules determine a 
unique redex to be reduced. Others are non deterministic. 

The following notion of reduction is due to R. Bloo and K. Rose [8,21,6]. 
The rules Varl and VarK, called respectively xv and xvgc by Rose, have been 
renamed here to recall the distinction between the classical A/ and calculi. 

Definition 2. The notions of reduction Ax and Xxgc are induced by the rules in 
Table 1: the notion of reduction Ax is obtained by deleting the rule gc, and the 
notion of reduction Xxgc is obtained by deleting the rule VarK. 

The rule gc is called “garbage collection”, as it removes useless substitutions. 



(B) 


{XxB)A 


(App) 


{MN){x = A) 


(Abs) 


{XyM){x = N) 


(Varl) 


x{x = N) 


(VarK) 


y{x = N) 


(gc) 


M{x = A) 



B{x = A) 

M{x = A) N{x = A) 
XyM{x = N) 

N 

y 

M if a; ^ FV{M) 



Table 1. The reduction rules. 



Of course in the presence of rule gc we do not need rule VarK. On the other 
hand it is not the case that gc can be directly simulated by the other rules: 
consider the garbage-collection x{x = y){v = w) — >x{x — y). Rule gc has a 
different character from the other rules in the sense that it represents a more 
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complex transformation than those of the other, atomic, substitution operations. 
On the other hand with an appropriate data structure for maintaining (the free 
variables in) terms it can be efficiently implemented and provides a tool to 
prevent memory leaks. And as Bloo and Rose have demonstrated it is quite 
convenient when reasoning about the formal properties of the calculus. 

Notation. In the main technical development of this paper we will work 
exclusively with the full system Xxgc. So unless explicitly stated otherwise, 
phrases such as “reduction” refer to reduction in system Xxgc. At the end of 
the paper (Section 8) we will see that the results for the system not including 
garbage collection follow readily from the results for Xxgc- 

Remark. As is well-known, Xxgc has a critical pair, namely: 

{{Xx.M)N){y = L) 



{Xx.M{y = L)) N{y = L) M{x = N){y = L) 

Most of the difficulty in working with the system is due to this critical pair; this 
will be amply demonstrated in the sequel. 

Definitions (Unrestricted rednction). Unrestricted reduction (or Xxgc- 
reduction) allows a reduction rule to be applied in any context. 

A term M is strongly normalizing if there is no infinite Xxgc-reduction 
starting from M. The set of strongly normalizing terms is denoted SAf. 

Definition 4 (Head rednction). Head reduction is the closure of Xxgc under 
the structural rules of Table 2. 





u 


U' 


U is not an abstraction 


B 


B' 


M - 


uv 

— M' 


— U'V 

M is not an abstraction 


Xx.B 


— Xx.B' 




M{x = A) 


— ^ M'{x-A) 







Table 2. Head reduction 



A term M is head normalizing if there is no infinite head-reduction starting 
from M . The set of head normalizing terms is denoted HAf. 

A head normal form is a term of the form Xxi..Xk-xAi...An where x is a free 
variable or one of the Xi and Ai € Ax. 
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U 



M{x = A) — * — )• M' {x = A) xA\...Ai...An — * — )• xA\...A^...Ar 



Table 3. Leftmost reduction 



U is not an abstraction 




B 


B' 


— ^ U'V 




Xx.B 


— ^ Xx.B' 


M is not an abstraction 


Ai 


‘ — )• A' Ai is 


the leftmost non-noi 



Definition 5 (Leftmost rednction). Leftmost reduction is the closure of Xxgc 
under the structural rules in Table 3. 

A term M is leftmost normalizing if there is no infinite leftmost reduction 
starting from M. The set of leftmost-normalizing terms is denoted LN . 

Remark. Observe that in contrast to the classical notions both head 
reduction and leftmost reduction are nondeterministic strategies. Indeed both 
reductions out of the critical pair noted earlier count as head reductions. 
For example, let M be {{Xx.B)A){y = C){z = S)T. Then M can rewrite 
by leftmost reduction either to P = B{x = A){y = C){z = S>)T, or (in 
two steps) to Q = {{Xx.B{y — C)) A{y = C)){z = S)T. Then since 
Xx.B{y = C) is an abstraction Q leftmost-rewrites via rule B leading to 
Q' = B{y = C){x= A{y = C)){z^ S)T. 



3 Two fundamental Lemmas 

To prove the main theorems of this paper, we need two very general lemmas 
which we present in this section. These lemmas aim at proving the following two 
facts (where Af stands for SAf, CAf, or TLAf) . 

M{x = N){y = L) G Af ii M{y = L){x = N{y = L)) G A/", 

and 



M{x = A) gATA M GAf axidx ^ FV{M), 
where, when A/” is 5A/”, we require A G SJ^ as well. 



A remark on the classical Substitution Lemma 

The Substitution Lemma of the classical A-calculus [2] states a fundamental 
property of (implicit) substitutions, namely that, when x is not free in L 

M[x := iV][y := L] = M[y := L][x := N[y := L]] 

The two terms are syntactically identical above. When generalized to an explicit 
substitutions calculus the analogous statement is weakened to provable equality: 

M{x = N){y = L) = M{y = L){x = N{y = L)) 
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It is not hard to see that the two terms above can have quite different reduction 
behavior. In particular it is possible for the left-hand side to be 57V while the 
right-hand side admits an infinite reduction. For instance, take M = z, N = yy 
and L = Xu.uu. 

The Composition Lemma below states that if the right-hand side is 57V then 
so is the left-hand side. So there is a fundamental asymmetry in this situation. 



3.1 The Composition Lemma 

Let us consider the following rule 

M{x = N){y = L) ^ M{y = L){x = N{y = L)) 



which we call composition. It abstracts the composition one finds in systems like 

Act [1, 11] (namely the rule called Map) or in the extension Ax||c of Ax [6, 7, 14, 

15] (namely the rule > of [6], see also [21] page 75). 

I|c 

We would like to see that the converse of the composition rule preserves 
(strong, head, or leftmost) normalization. Unfortunately this rule does not 
commute in a nice way with reduction, essentially due to the duplication of 
substitutions in the App rule. 

The following relation is a “bottom-up parallel extension” of the composition 
rule, which propagates and duplicates the applications of this rule inside terms. 
In particular, rule Cpabs pushes a substitution through an abstraction, Cpapp 
pushes through an application, and Cpcio pushes through a closure. The other 
rules make it a congruence. 



Definition 6. The relation ^ is given by the induetive definition indicated in 
Table 4- 



[Cref] 


M => M 






[Cabs] 


B' 


[Cpabs] 


B{y = Q)^B+ 


Xx.B => Xx.B' 


{Xx.B){y = Q) => Xx.B'^ 


[Capp] 


u^u’ v^v' 


[Cpapp] 


U{y = Q)^U+ V{y = Q) ^ V+ 


uv ^ U'V 


{UV){y = Q) ^ (U+V+) 


[Cclo] 


B^ B' A^A' 


[Cpcio] 


M{y = Q)^ M+ P{y = Q) ^ P+ 


B(z = A)^ B'(z = A') 


M{x = P)(y = Q) ^ M+{x = P+) 



Table 4. The rules for => 
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Lemma 2. Let stand for either unrestricted reduction, leftmost 

reduction, or head reduction. If M > M" and M ^ M' then there is an 

M* with M” => M* and M' ;• M* . Furthermore, if M ^ M" is a 

B-step then in fact M' — M* with at least one B-step. 

M" - - > M* 

Proof. By induction over the definition oi M => M'. in 

Corollary 1. Suppose M ^ M' . 

- If M' € TiM then M € TiM . 

- If M’ € CM then M e CM. 

- If M' SM then M G SM . 

Proof. As is well-known, the set of rules of Xxgc other than the B-rule comprise 
a strongly normalizing rewrite system. So any infinite reduction out of M must 
involve infinitely many B-steps. With this observation each of the claims follows 
easily from Lemma 2. /// 

In particular, suppose that if T' is obtained from T by the composition rule 
as defined at the beginning of this section. We conclude that if T' is strongly 
normalizing then T is strongly normalizing; similarly for leftmost and head 
normalization. These results will be crucial in the coming sections. 

3.2 The Closure lemma 

Now we want to prove that (head, leftmost, or strong) normalization is not 
affected by garbage-collection of normalizing terms. For technical reasons we 
state the result rather generally. 

Definition 7. A n-multi- context is a term with n holes in which we can insert 
n terms. If n is understood, we say a multi- context. 

If C\. is a multi-context and Mi, . . . , M„ are terms, then the 
insertions of those terms in C|. is denoted ClMi, . . . , M„]. 

Lemma 3. Let Cl...] be a multi- context, Ai,...,An, and Mi,...,M„ be 
terms, with x ^ FV{Mi), ... , x ^ FV{Mn). 

- if C|Mi, ..., MJ € nM then C|Mi(x = A^), ..., M^{x = A„)| G Ti.M. 

- ifC{Mi,...,M4 G CM then ClM^{x = A^), ...,Mr,{x = A^)\ G CM. 

- if C|Mi,...,M„] G SM and Ai G SM for 1 < i < n then C|Mi(a; = 
Ai),...,Mn{x = Ar,)jcSM. 



Proof. By induction on triples {D, M, A) where D is a term, M and A are 
multisets of terms. Ill 
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Corollary 2. Let M = N {x = A){z = S) T with x ^ FV{N) and let 
M' = N{z=S)T, 

— If M' € TiM then M G TiM . 

— If M' G CM then M G CM. 

— If M' G SM and A G SM then M G SM. 

4 Saturated Sets 

Definition 8. A set S is X -saturated (or saturated if there is no ambiguity 
about the set X ), if it is closed under the rules of inference in Table 5. 



Bix = A)T 

sat-B 

{\x.B)A T 

(\y.B{x = A)){z=S)T 

sat-Abs 

{Xy.B){x = A){z= S)T 

M{y = Q){x = P{y = Q)){z= S)T 

sat-comp 

M{x = P){y = Q){z=S)T 



A{z=S)T 

sat-l 

x{x = A){z=S)T 

{U{x = A)){V{x = A)){z=S)T 

sat-App 

{UV){x = A) {z= S)T 

N{z =S)T AgX and x^ FV 
sat-gc 

N{x = A){z=S)T 



Table 5. T-saturated sets 



Note that the set X occurs only in the rule sat-gc. In practice the set X will 
depend on the reduction we consider. 

Definition 9 (Fnnction space). If A and B are sets of terms then A —<> B is 
{M\yAG A,(MA) G B}. 

The following are very easy consequences of the definition. 

Lemma 4. Let A and B be sets of terms. 

1. If B is saturated then so is A —> B 

2. If A and B are saturated then so is AC B. 

The major part of the technical difficulty in lifting the classical normalization 
proofs to our explicit substitutions setting is embodied in the next Lemma. In 
fact all of the work in the previous section was for the purpose of establishing 
these results. 

Lemma 5. 



SM is SM -saturated. 
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— TiN is Ax-saturated. 

— CN is Ax-saturated. 

The notion of saturation is key to the proof of the Soundness Theorem below 
for the type systems. It is amusing to note that closure under sat-gc for SJ\f, HJ\f, 
and LAf is used precisely in showing that the start rule below for typing variables 
is sound: in the standard A-calculus this is a triviality but in our calculus we 
ultimately rely on the difficult argument embodied in Lemma 3. 

5 Types and Soundness 

Definition 10 (The system of type assignment 2?^). Given an infinite set 
of type-variables and a distinguished type-eonstant aj the set of types is formed 
by closing the type-variables and uj under the operations a^r and a Dr. 

A statement is an expression of the form M : r; where M is a term, the 
subject of the statement, and t is a type. A basis is a set of statements with 
distinct variables as subjects. A judgment is a triple F , M , r where F is a basis, 
M is a term, and t is a type; the notion of a judgment’s being derivable, denoted 
F h M: T is given by the rules of inference in Table 6. 

We say that a term M is typable if there exists a F and a r such that 

T h M: T. 

We identify two systems: the system T>^ itself and the subsystem T> obtained 
by omitting type lo and the rule w-I. 




The form of the cut rule ensures that a closure M{x = N) has exactly the same 
typing behavior as the associated B-redex {Xx.M)N. That is, for every F and r, 

F'^M{x = N):t iff F [\x.M)N:t. 
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Definition 11. An interpretation I is a function from types to sets of terms 
obeying the following 

— = Ax ( in system T>^) 

'^a.r\P — 

^ 

Obviously an interpretation is completely determined by its value on the type 
variables. Suppose I is an interpretation and A” is a set of terms such that J* 
is A’-saturated for each type-variable t. Then is A’-saturated for each type r: 
for T = u; we observe that Ax is itself A’-saturated, and for the other types we 
invoke Lemma 4. 

Theorem 1 (Soundness). Let I he an interpretation and let X be a class of 
terms such thatJt is X -saturated for each type-variable t and such thatJa Q X 
for each type a . 

Suppose M is typable with type t in either T> or T>^^. Then M € Tr- 

6 Normalization 

Definition 12. (See Cardone and Coppo [10]) A type is proper if it has no 
positive occurrence of w, antiproper if it has no negative occurrence of w, and 
strictly proper if it has no occurrence of to. 

The trivial types are determined by the following rules: 

- oj is trivial. 

- If a is trivial and 6 is any type, then 9 ^ a is trivial. 

- If a and r are trivial, then a H t is trivial. 

Head normalization. Consider the system 2?;^; let “type” mean “type of VJ' 
and let “typable” mean “typable in T>J\ 

Definition 13. Let TL he the interpretation which maps each type variable to 
the set TIN of head normalizing terms. 

Lemma 6. Hr Q TIN for each non-trivial type r. 

Corollary 3. If M is typable in T>i^ with a non-trivial type then M is head 
normalizing. 

Leftmost normalization. Consider the system let “type” mean “type of 
VJ' and let “typable” mean “typable in VJ’. 

Definition 14. Let L be the interpretation which maps each type variable to the 
set CJ\f of leftmost-normalizing terms. 

Lemma 7. Cr Q CN for each proper type r. 

Corollary 4. If M is typable in T>i^ with a proper type then M is leftmost 
normalizing. 
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Strong normalization. Consider the system T>; let “type” mean “type of T>” 
and let “typable” mean “typable in T>. 

Definition 15. Let S be the interpretation which maps each type variable to the 
set SAf of strongly normalizing terms. 

Lemma 8. Sr Q SAf for each type t. 

Corollary 5. If M is typable in T> then M is strongly normalizing. 

7 Typings for normalizable terms 

Proposition 1. 

1. If H is a head normal form then H is typable in systemVi^ with a non-trivial 
type. 

2. If N is a normal form then N is typable in system T>. 

Theorem 2 (Snbject Rednction). In either of the systems T>^ orV: suppose 
r \- M ■. T and M y M\. Then F h M \ : r. 

Theorem 3 (Snbject Expansion for T>^). In system T>^: suppose F \- M \ t 
and Mq > M. Then F h Mg : t. 

Corollary 6. Suppose F h M \ t in system T>^ and M « — *• M' . Then 
F I M'-.t. 



Snbject Expansion and system T>. 

The Subject Expansion theorem plays a key role in deriving converses involving 
system to the normalization results concerning head- and leftmost reduction 
(Corollaries 3 and 4 above). We present these converses in the next section. 

It is well-known from the classical A-calculus that the Subject Expansion 
theorem fails for system V. But with some care (involving the potential erasing 
of non-typable terms) one can analyze /3-expansion in order to derive a converse 
to the classical version of Corollary 5 and so obtain a characterization of the 
strongly normalizing classical terms. 

It seems to be much more difficult to perform such an analysis for expansion 
in the calculus Ax. In particular it is not the case that P-typability is preserved by 
expansion even when the reduction-rule in question erases a strongly-normalizing 
subterm. 

Example. Let D be the term Xu.uu and M be the term {Xx.{Xy.z){xx))D. D is 
I?-typable by {t (X {t t)) ^ t but DD is not SAf so M is not SAf. Now consider 

M — » {Xx.z{y = xx))D — » M' = z{y = xx){x = D) — > M” = z{x = D) 

M” is SAf and is easily seen to be 2A- typable. But M' is SAf yet not P- typable. 
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It is not hard to see that M' is SM. To see that M' is not P-typable, first 
note that by Corollary 5 M cannot be typed since it is not SM. But [\y.z){xx) 
and z{y = xx) have exactly the same typing behavior in our system. 

The reduction from M' to M” witnesses the failure of Subject Expansion; 
the notable thing here is the innocuous nature of the erased subterm xx. The 
reduction {Xy.z)[xx) — > z{y = xx), which reduces an inner B-redex, changes the 
behavior of the term w.r.t. to normalization. This should somewhat be translated 
into the typing system, which is not the case in V. 

The natural reaction to such an example is conclude that the type system T> 
should be modified. But the terms M and M' above are related simply by an 
application of the B-rule. So if we are to have a type system which characterizes 
strong normalization it seems that we must abandon the property that closures 
B{x = A) have the same typing behavior as the associated B-redexes {\x.B)A 
(perhaps only in the case when x is not free in B) . This would be a fundamental 
change in what seems to us to be the most natural generalization of the classical 
type system. We leave the search for a type system characterizing the strongly 
normalizing terms as a subject for future investigation. 

8 Summary 

In this section we summarize the results of this paper and also address the role 
of the garbage-collection rule gc in the development. 

As suggested in the introduction one may view the rule gc as being somewhat 
out of character with the rest of the explicit substitutions program, since it does 
not really correspond to an atomic operation on terms. So it is natural to ask 
whether the relationships we have established between typings and reduction 
properties carries for the “pure” calculus without rule gc. 

Since the pure calculus is a subsystem of the full (gc) calculus one direction 
of the relationship is immediate, but it is mildly surprising that the full 
equivalence between various normalization properties and typing properties can 
be established for the pure calculus with essentially no extra work. This is shown 
in the three theorems of this section. 

Recall that head- and leftmost reduction are each non-deterministic and that 
when we speak of head- or leftmost-reduction below we mean any sequence of 
reduction steps obeying the given discipline. 

Theorem 4 (Head normalization). Let M be a closed term. The following 
are equivalent. 

1. M is typable with a non-trivial type in system T>,^. 

2. M&nM. 

3. M is head-normalizing in the calculus Ax (without garbage-collection). 

4 . M has a head normal form. 

5. M is solvable, that is, there is an n and terms X\,...Xn such that 

MXi ■ ■ ■ Xn = Xx.x. 



Proof. We prove and 4 ^ 5 => 2. 



/// 
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Theorem 5 (Leftmost normalization). Let M be a closed term. The 
following are equivalent. 

1. M is typable in system with a type not involving to. 

2. M is typable with a proper type in system . 

3. M G CM. 

4 . M is leftmost-normalizing in the calculus Ax (without garbage-collection). 

5. M has a normal form. 

Proof. We prove Ill 

It is worth emphasizing the fact that the implications 5 to 3 and 5 to 4 state 
that in Ax and Axgc leftmost reduction is a normalizing strategy. 

Theorem 6 (Strong normalization). Let M be a closed term. 

1. M G SM if and only if M is strongly normalizing in the calculus Ax (without 
garbage-collection). 

2. If M is typable in system V then M G SM. 

3. If M is a pure term then M G SM if and only if M is typable in system T>. 

As described in the previous section we do not have the implication “Me SM 
implies M is typable in system VC As is well-known this result holds for 
pure terms under /3-reduction. It then follows from the preservation of strong 
normalization in Ax that the result holds for pure terms under Axgc-reduction. 
The problem of finding a reasonable type system characterizing the strongly 
normalizing terms in Ax is left as an open problem. 
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Abstract. The Stratified Foundations are a restriction of naive set the- 
ory where the comprehension scheme is restricted to stratifiable proposi- 
tions. It is known that this theory is consistent and that proofs strongly 
normalize in this theory. Deduction modulo is a formulation of first-order 
logic with a general notion of cut. It is known that proofs normalize 
in a theory modulo if it has some kind of many-valued model called a 
pre-model. We show in this paper that the Stratified Foundations can be 
presented in deduction modulo and that the method used in the original 
normalization proof can be adapted to construct a pre-model for this 
theory. 



The Stratified Foundations are a restriction of naive set theory where the 
comprehension scheme is restricted to stratifiable propositions. This theory is 
consistent |S| while naive set theory is not and the consistency of the Stratified 
Foundations together with the extensionality axiom - the so-called New Foun- 
dations - is open. 

The Stratified Foundations extend simple type theory and, like in simple 
type theory, proofs strongly normalize in The Stratified Foundations P). These 
two normalization proofs, like many, have some parts in common, for instance 
they both use Girard’s reducibility candidates. This motivates the investigation 
of general normalization theorems that have normalization theorems for specific 
theories as consequences. The normalization theorem for deduction modulo is 
an example of such a general theorem. It concerns theories expressed in deduction 
modulo |n| that are first-order theories with a general notion of cut. According to 
this theorem, proofs normalize in a theory in deduction modulo if this theory has 
some kind of many-valued model called a pre-model. For instance, simple type 
theory can be expressed in deduction modulo [5IB] and it has a pre-model m 
and hence it has the normalization property. The normalization proof obtained 
this way is modular: all the lemmas specific to type theory are concentrated 
in the pre-model construction while the theorem that the existence of a pre- 
model implies normalization is generic and can be used for any other theory in 
deduction modulo. 

The goal of this paper is to show that the Stratified Foundations also can 
be presented in deduction modulo and that the method used in the original 
normalization proof can be adapted to construct a pre-model for this theory. The 
normalization proof obtained this way is simpler than the original one because 
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it simply uses the fact that proofs normalize in the Stratified Foundations if this 
theory has a pre-model, while a variant of this proposition needs to be proved 
in the original proof. 

It is worth noticing that the original normalization proof for the Stratified 
Foundations is already in two steps, where the first is the construction of a so- 
called normalization model and the second is a proof that proofs normalize in 
the Stratified Foundations if there is such a normalization model. Normaliza- 
tion models are, more or less, pre-models of the Stratified Foundations. So, we 
show that the notion of normalization model, that is specific to the Stratified 
Foundations, is an instance of a more general notion that can be defined for 
all theories modulo, and that the lemma that the existence of a normalization 
model implies normalization for the Stratified Foundations is an instance of a 
more general theorem that holds for all theories modulo. 

The normalization proof obtained this way differs also from the original one in 
other respects. First, to remain in first-order logic, we do not use a presentation of 
the Stratified Foundations with a binder, but one with combinators. To express 
the Stratified Foundations with a binder in first-order logic, we could use de 
Bruijn indices and explicit substitutions along the lines of j0|. The pre-model 
construction below should generalize easily to such a presentation. Second, our 
cuts are cuts modulo, while the original proof uses Prawitz’ folding -unfolding 
cuts. It is shown in ^ that the normalization theorems are equivalent for the 
two notions of cuts, but that the notion of cut modulo is more general that the 
notion of folding-unfolding cut. Third, we use untyped reducibility candidates 
and not typed ones as in the original proof. This quite simplifies the technical 
details. 

A last benefit of expressing the Stratified Foundations in deduction modulo 
is that we can use the method developed in to organize proof search. The 
method obtained this way, that is an analog of higher-order resolution for the 
Stratified Foundations, is much more efficient than usual first-order proof search 
methods with the comprehension axioms, although it remains complete as the 
Stratified Foundations have the normalization property. 



1 Deduction Modulo 

1.1 Identifying Propositions 

In deduction modulo, the notions of language, term and proposition are that of 
first-order logic. But, a theory is formed with a set of axioms F and a congru- 
ence = defined on propositions. Such a congruence may be defined by a rewrite 
systems on terms and on propositions (as propositions contain binders - quan- 
tifiers -, these rewrite systems are in fact combinatory reduction systems P|). 
Then, the deduction rules take this congruence into account. For instance, the 
modus ponens is not stated as usual 

B A 



B 
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as the first premise need not be exactly A ^ B but may be only congruent to 
this proposition, hence it is stated 



C A 
B 



a C = A^ B 



ri-= B 
r,A^= B 



axiom li A £ F and A = B 
intro ii C = {A ^ B) 



r\-=c 

r\-=c r\-=A 
r\-= B 

F h= A F h= B . -r ^ /A 7-,\ 
- A-intro A C = {A A B) 



!>-elim AC = {A^ B) 



F\-=C 
F\-=C 
F\-=A 
F\-=C 
F\-= B 



^ V-intro A C = {Av B) 
1 l~ = o 

^ ^ V-intro if C = (Vl V B) 



A-elim if C = (A A B) 
A-elim if G = (j4 A B) 



F\-=C 

F\-=D F,A\-=C F,B\-=C 



F\-=C 
F\-= B 
F\-=A 
F\-= A 
F\-= B 
F\-= B 
F\-=C 
F\-=C 
F\-= B 
F\-=C F,A\-= B 



V-elim if B = (^ V B) 



ri-= B 



_L-elim if B = _L 

(x, A) V-intro if B = (Vx A) and x 0 FV{F) 

(x,A,t) V-elim if B = (Vx ^4) and C = [t/x]j4 
(x,A,t) 3-intro if B = (3x A) and C = [t/x]^ 

(x, A) 3-elim if G = (3x A) and x ^ FV{FB) 



j- B Excluded middle ifA = Bv(B=>_L) 

F\-= A ^ ' 

Fig. 1. Natural deduction modulo 



All the rules of intuitionistic natural deduction may be stated in a similar 
way. Classical deduction modulo is obtained by adding the excluded middle rule 
(see figure P). 

For example, in arithmetic, we can define a congruence with the following 
rewrite system 



0 + y-t 2/ 
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S{x) + y ^ S{x + y) 

0 X ?/ -)> 0 

S{x) xy^xxy + y 

In the theory formed with a set of axioms F containing the axiom Vx x = x and 
this congruence, we can prove, in natural deduction modulo, that the number 4 
is even 



T h= Va; a; = a; 
rh= 2 X 2 = 4 



axiom 



r h= 2 X a; = 4 



(x, X = x,4) V-elim 
(a:, 2 X a; = 4, 2) 3-intro 



Substituting the variable x by the term 2 in the proposition 2 x a; = 4 yields 
the proposition 2x2 = 4, that is congruent to 4 = 4. The transformation of 
one proposition into the other, that requires several proof steps in usual natural 
deduction, is dropped from the proof in deduction modulo. 

In this example, all the rewrite rules apply to terms. Deduction modulo 
permits also to consider rules rewriting atomic propositions to arbitrary ones. 
For instance, in the theory of integral domains, we have the rule 



xx?/ = 0— >-a: = 0Vj/ = 0 



that rewrites an atomic proposition to a disjunction. 

Notice that, in the proof above, we do not need the axioms of addition and 
multiplication. Indeed, these axioms are now redundant: since the terms 0 + y 
and y are congruent, the axiom Vy 0+y = y is congruent to the axiom of equality 
'^y y = y- Hence, it can be dropped. Thus, rewrite rules replace axioms. 

This equivalence between rewrite rules and axioms is expressed by the the 
equivalence lemma that for every congruence =, we can find a theory T such 
that T h= H is provable in deduction modulo if and only if TT h H is provable 
in ordinary first-order logic jS]. Hence, deduction modulo is not a true extension 
of first-order logic, but rather an alternative formulation of first-order logic. Of 
course, the provable propositions are the same in both cases, but the proofs are 
very different. 

1.2 Model of a Theory Modulo 

A model of a congruence = is a model such that ii A = B then for all assignments, 
A and B have the same denotation. A model of a theory modulo T, = is a model of 
the theory F and of the congruence =. Unsurprisingly, the completeness theorem 
extends to classical deduction modulo [5| and a proposition is provable in the 
theory T, = if and only if it is valid in all the models of T, =. 

1.3 Normalization in Deduction Modulo 

Replacing axioms by rewrite rules in a theory changes the structure of proofs and 
in particular some theories may have the normalization property when expressed 
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with axioms and not when expressed with rewrite rules. For instance, from the 
normalization theorem for first-order logic, we get that any proposition that is 
provable with the axiom A ^ (B A (A => _L)) has a normal proof. But if we 
transform this axiom into the rule A — )> B A _L) (Crabbe’s rule [H) the 

proposition B _L has a proof, but no normal proof. 

We have proved a normalization theorem: proofs normalize in a theory mod- 
ulo if this theory has a pre-model [Z1 ■ A pre-model is a many- valued model whose 
truth values are reducibility candidates, i.e. sets of proof-terms. Hence we first 
define proof-terms, then reducibility candidates and at last pre-models. 

Definition 1 (Proof-term). 

Proof-terms are inductively defined as follows. 

7T ::= a 

I Aa 7T I (tt 7t') 

I (7r,7r') I fst{-n) \ snd{n) 

I I j(7r) I (<5 7Ti a7T2 /Jtts) 

I {botelim tt) 

I Act 7T I (tt t) 

I (t, 7 t) I (exelim tt xan') 

Each proof-term construction corresponds to an intuitionistic natural deduc- 
tion rule: terms of the form a express proofs built with the axiom rule, terms of 
the form Aa tt and (tt tt') express proofs built with the introduction and elimina- 
tion rules of the implication, terms of the form (tt, tt') and fst^ir), snd{7r) express 
proofs built with the introduction and elimination rules of the conjunction, terms 
of the form i(7r), j(7r) and (S tti a7T2 ^tts) express proofs built with the intro- 
duction and elimination rules of the disjunction, terms of the form (botelim tt) 
express proofs built with the elimination rule of the contradiction, terms of the 
form Ax tt and (tt t) express proofs built with the introduction and elimination 
rules of the universal quantifier and terms of the form (t, tt) and (exelim tt xair') 
express proofs built with the introduction and elimination rules of the existential 
quantifier. 

Definition 2 (Reduction). Reduction on proof-terms is defined by the follow- 
ing rules that eliminate cuts step by step. 

(Aa TTl 7T2) \> [TT 2 /a\TTl 

fst((TTl,TT2))\>TTl 
Snd((TTl,TT2)) > TT2 
(5 i(7Ti) a7T2 (iTrfi) > [7Ti/a]7r2 
(5 j(TTi) aTT 2 fiTrfi) 0 [7Ti//3]7r3 
(Ax TT t)\> [t/x\TT 

(exelim (t,7Ti) ax7T2) > [t/x, 7Ti/a]7r2 
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Definition 3 (Reducibility candidates). A proof-term is said to be neutral 
if it is a proof variable or an elimination (i.e. of the form (tt tt'), fst^n), snd{'K), 
(6 7Ti Qf7r2 /Stts), {botelim tt), (tt t), (exelim tt xaTr')), but not an introduction. 
A set R of proof-terms is a reducibility candidate if 

— if TT G R, then tt is strongly normalizable, 

— if TT G R and tt > tt' then tt' G R, 

— if TT is neutral and if for every tt' such that ttt>^ tt' , tt' G R then tt G R. 

We write C for the set of all reducibility candidates. 

Definition 4 (Pre- model). A pre-model J\f for a language C is given by: 

— a set N, 

— for each function symbol f of arity n a function f from N" to N , 

— for each predicate symbol P a function P from iV” to C. 



Definition 5 (Denotation in a pre- model). Let J\f be a pre-model, t be a 
term and ip an assignment mapping all the free variables oft to elements of N . 
We define the object |t]^ by induction over the structure oft. 

— = ‘p(x), 

— lf(tl,---,tn)l^ = 

Let A be a proposition and p an assignment mapping all the free variables 
of A to elements of N. We define the reducibility candidate |4l]^ by induction 
over the structure of A. 

— If A is an atomic proposition P(ti,...,tn) then \Ai\^ = 

P(lht,...,ltnt). 

— If A = B ^ C then is the set of proofs tt such that tt is strongly 

normalizable and whenever it reduces to Xa tti then for every tt' in 
[7r7a]7ri is in . 

— If A = B A C then is the set of proofs tt such that tt is strongly 

normalizable and whenever it reduces to {tti,tt 2 ) then tti is in \B\f^ and tt 2 
is in |C|^ . 

— If A = B \/ C then is the set of proofs tt such that tt is strongly 

normalizable and whenever it reduces to i(TTi) (resp. j{TT 2 )) then tt\ (resp. 
TT 2 ) is in lB\fl (resp. |C ]|^ ). 

— If A = 1. then is the set of strongly normalizable proofs. 

— If A = \/x B then is the set of proofs tt such that tt is strongly nor- 

malizable and whenever it reduces to Xx tt\ then for every term t and every 
element a of N [t/x]TTi is in 

— If A = 3x B then is the set of proofs tt such that tt is strongly normal- 

izable and whenever it reduces to (t, tti) then there exists an element a in N 
such that TTi is in . 
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Definition 6. A pre-model is said to be a pre-model of a congruence = if when 
A = B then for every assignment tp, |A]|^ = 

Theorem 1 (Normalization). Q/ If a eongruence = has a pre-model all proofs 
modulo = strongly normalize. 



2 The Stratified Foundations 

2.1 The Stratified Foundations as a First-Order Theory 

Definition 7. (Stratifiable proposition) 

A proposition A in the language € is said to be stratifiable if there exists a 
function S mapping every variable (bound or free) of A to a natural number in 
such a way that every atomic proposition of A, x € y is such that S{y) = S'(a;)-|-1. 

For instance, the proposition 

\/v {v € X V € y) ^ \/w {x € w ^ y € w) 

is stratifiable (take, for instance, S{v) = 4, S{x) = S{y) = 5, S{w) = 6) but not 
the proposition 

Vt> (v€x4^v€y)^x€y 

Definition 8. (The stratified comprehension scheme) 

For every stratifiable proposition A whose free variables are among 
xi, . . . , Xn, x„+i we take the axiom 

Vxi . . . VXy, VXti-I-I (Xyi-|_l G Z 4=^ -A) 



Definition 9. (The skolemized stratified comprehension scheme) 

When we skolemize this scheme, we introduce for each stratifiable proposition 
A in the language € and sequence of variables Xi, . . . ,x„,x„+i such that the free 
variables of A are among xi, . . . ,x„,x„+i, a function symbol fxi,...,xn,x„+i,A and 
the axiom 



Vxi . . . VXy, VXti-I-I (Xt^-I-I € fxi....,Xn,Xn + l,A(.a^l^ • • ■ 5 ^n) 4=/* A.) 

2.2 The Stratified Foundations as a Theory Modulo 

Now we want to replace the axiom scheme above by a rewrite rule, defining a 
congruence on propositions, so that the Stratified Foundations are defined as an 
axiom free theory modulo. 

Definition 10. (The rewrite system TZ) 

^n+l € f x;i,. . .,Xn ,Xn+i,A{l'l : ■ ■ ■ : l"a) ^ , In/^n, 
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Proposition 1. The rewrite system TZ is confluent and terminating. 

Proof. The system TZ is an orthogonal combinatory reduction system, hence it 
is confluent 1^. 

For termination, if A is an atomic proposition we write ||A|| for the number 
of function symbols in A and if A is a proposition containing the atomic propo- 
sitions Ai, . . . ,Ap we write A° for the multiset {||^i||, • ■ ■ , ||^p||}- We show that 
if a proposition A reduces in one step to a proposition B then B° < A° for the 
multiset ordering. 

If the proposition A reduces in one step to B, there is an atomic proposition 
of A, say Ai, that has the form tn+i € fxi,...,xn,x„+i,c{ti, ■ ■ ■ , tn) and reduces to 
B\ = [ti/x\, . . . ,tn/ Xn,tn+i/ Xn+i]C . Every atomic proposition b of Bi has the 
form . . . ,tn/xn,tn+i/xn+i]c where c is an atomic proposition of C. The 

proposition c has the form Xi G Xj for distinct i and j (since C is stratiflable) 
Xi G y, y G Xi or y G z. Hence b has the form ti G tj for distinct i and j, U G y, 
y G ti or y G z and ||6|| < ||Hi||. Therefore B° < A° . 

Proposition 2. A proposition A is provable from the skolemized comprehension 
scheme if and only if it is provable modulo the rewrite system TZ. 

2.3 Consistency 

We want now to construct a model for the Stratified Foundations. 

If At is a model of set theory we write M for the set of elements of the model, 
Gm for the denotation of the symbol G in this model, for the powerset in 
this model, etc. We write also for the denotation of a proposition A for 

the assignment (p. 

The proof of the consistency of the Stratified Foundations rests on the exis- 
tence of a model of Zermelo’s set theory, such that there is a bijection a from 
M to M and a family Vi of elements of M, i G h such that 

a Gm b if and only if aa Gm <xb 



avi = v^+i 
^M 

pMivi) Cm Vi+i 

The existence of such a model is proved in |S| . 

Using the fact that Al is a model of the axiom of extensionality, we prove that 
a Qm bit and only if tra ab, a{a, b}M = {o"a, crb}M , o'{a,b)M = (^n, <jb)M > 
crp(o) = p(cra), etc. 

For the normalization proof, we will further need that Al is an w-model. We 
define 0 = ^m, n + 1 = tIUm {n}M- An w-model is a model such that a Gm Nai 
if and only if there exists n in N such that a = n. The existence of such a model 
is proved in 0 (see also |2|). 

Using the fact that A^ is a model of the axiom of extensionality, we prove 
that a^M = and then, by induction on n that an = n. 
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Notice that since Pm(vi) fi+i, 0m Vi and for all n, n €m Vi- Hence 
as the model is an w-model Vi. 

In an w-model, we can identify the set N of natural numbers with the set 
of objects a in At such that a €m To each proof-term we can associate a 
natural number n (its Godel number) and then the element n of A4. Proof-terms, 
their Godel number and the encoding of this number in Af will be identified in 
the following. 

We are now ready to construct a model U for the Stratified Foundations. 
The base set is the set U of elements a of M such that a €m I’d- The relation 
&u is defined by a &u b if and only if a Gm This permits to define the 
denotation of propositions built without Skolem symbols. To be able to define 
the denotation of Skolem symbols, we prove the following proposition. 

Proposition 3. For every stratifiable proposition A in the language G whose 
free variables are among x\, . . . , Xn+i and for all a\, . . . ,On in U , there exists 
an element b in U such that for every a„+i in U , a„+i Gm if and only if 

IT /l|W _ 1 

Proof. Let |A| be the proposition defined as follows. 

~ |A| = A if A is atomic, 

- \A^B\ = \A\^\B\, \AaB\ = \A\A\B\, |A V = |A| V |H|, |T| = T, 

- jVa; A| = Va; ((a; G E,s(x)) |-4|), 

- |3a; A| = 3a: ((a: G Eg^oo)) A |A|). 

Notice that the free variables of |A| are among Eq, . . . , Em, a;i, . . . , a;„, Xn+i- Let 

ip = a\j a:i, . • . , a^i/ x^, aji^^ij Xn-\~i 

— VqI Eqj . . . , Vm / Em, VT a\f X\, . . . , (J anjXn, O ^ ajiJ^\ f Xji.\-\ 

where k\ = S'(a;i), . . . , fc„+i = S'(xn+i). We check, by induction over the struc- 
ture of A, that if A is a stratifiable proposition in the language G, then 

II^IC = K 

- If A is an atomic proposition Xi G Xj, then kj = fcj + 1, ||A|]^ = I if and 
only if a^'Oi Gm cr^^aj if and only if Oi Gm T and only if |A|^ = 1. 

- if A = H ^ C then ||A||;^ = 1 if and only if ||H|];^ = 0 or ||C'|]|^ = 1 if 
and only if |i?]^ = 0 or |G|^ = 1 if and only if |A]^ = 1. 

- if A = H A G then ||A||^ = 1 if and only if = 1 and ||G|]:^ = 1 if 

and only if |i?]^ = 1 and |G]]^ = 1 if and only if |A]^ = 1. 

- if A = H V C then ||A|]|^ = 1 if and only if ||i?|]^ = 1 or ||G|]:^ = 1 if 

and only if |i?]^ = 1 and |G]|^ = 1 if and only if |A]^ = 1. 

- i\±\i^ = o=i±r^. 

- if A = \fx B then ||A|]:^ = 1 if and only if for every c in M such that 

C Gm Vk, if only if for every e in U, = 1 if 

and only if for every e in U, = 1 if and only if |A]|^ = 1. 
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— \i A = 3x B then ||4l||:^ = 1 if and only if there exists c in M such that 
c &M ffe and = 1, if and only if there exists e in U such that 

= 1 if ^ud Only if there exists einU such that = 1 if 

and only if |A]|^ = 1. 

Then, the model Af is a model of the comprehension scheme. Hence, it is a 
model of the proposition 

MEq . . . \/E^ Vxi ... Vx„ Vy 3z Va;„+i {x^+i G {x^+i Gy A |A|)) 
Thus, for all ai, ..., a„, there exists an object bg such that for all a„+i 
|(3^n+l € 2 4=> (Xn+1 G y A = 1 

We have CT'="+ia„+i Gm bo if and only if CT'='*+ia„+i Gm Vk„+i and ||H|]^ = 1 
thus a„+i Gm if and only if a„+i is in U and \Af^ = 1. We take 

b = For all a„+i in U, we have a„+i Gm <^b if and only if \Af^ = 1. 

Notice finally that 6 q Gm PAi(i’fe„+i)) thus 6 q Gm ?^fc„+i+i) b Gm vq and 
hence 5 is in U. 

Definition 11 (Jensen’s model). The model 14 = {U,Gu,fxi,...,xn,y,A) 
fined as follows. The base set is U. The relation Gu is defined above. The func- 
tion fxi,...,xn,xn+i,A maps (oi, . . . , On) to an object b such that for all a„+i in U, 
an+i Gm <jb if and only */ = 1- 

Proposition 4. The model U is a model of the Stratified Foundations. 

Proof. If A is a stratifiable proposition in the language G, then 

|tn+l G fxl,...,x„,x„.^.l,A{tl, • . • , = 1 

if and only if 

Pn+lly GA4 Crfxi,...,Xr,,x„+i,A{ltlfil,, • ■ • , 

if and only if 

|[tl/ Xi, . . . , t.fifXn^ tn-\-lf = 1 
Hence, if A= B then A and B have the same denotation. 

Corollary 1. The Stratified Foundations are consistent. 

2.4 Normalization 

We want now to construct a pre-model for the Stratified Foundations. 

Let Ui = v^i and t = . The function t is an automorphism of Ai, rui = 

lli+lj Hi f~M and Pm (PA4 (PA4 (Hi))) ^M Hi-j-i. 

As Ai is an w-model of set theory, for each recursively enumerable relation 
R on natural numbers, there is an object r in Al such that R(ai, . . . , a„) if and 
only if (oi, . . . , On ) m Gm la particular there is 
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— an object Proof such that tt Gm Proof if and only if tt is (the encoding in 
M of the Godel number of) a proof, 

— an object Term such that t Gm Term if and only if t is (the encoding of 
the Godel number of) a term, 

— an object Subst such that (tt, tti, a, 7T2 )>i Gm Subst if and only if tt, tti and 
7T2 are (encodings of Godel numbers of) proofs, a is (the encoding of the 
Godel number of) a proof variable and tt = [7ri/a]7r2, 

— an object Subst' such that (tt, t, a;, 7Ti)_a4 Gm Subst' if and only if tt and tti 
are (encodings of the Godel numbers of) proofs, x is (the encoding of the 
Godel number of) a term variable and t (the encoding of the Godel number 
of) a term and tt = [t/xjTTi, 

— an object Red such that (7r,7Ti);v( Gm if and only if tt and tti are 
(encodings of Godel numbers of) proofs and tt >* tti, 

— an object Sn such that tt Gm Sn if and only if tt is (the encoding of the 
Godel number of) a strongly normalizable proof, 

— an object ImpI such that (tt, a, 7 Ti);\4 Gm Irnpl if and only if tt and tti 
are (encodings of Godel numbers of) proofs, a is (the encoding of the Godel 
number of) a proof variable and tt = Xa tti, 

— an object Andl such that (tt, tti, 7T2)Ar Gm Andl if and only if 7r,7ri and 7T2 
are (encodings of Godel numbers of) proofs and tt = (7ri,7T2), 

— an object Orll (resp. Or 12) such that {Tr,TTi)M Orll (resp. 

(tt, 712)201 Gm OrI2) if and only if tt and tti (resp. tt and 712) are (encod- 
ings of Godel numbers of) proofs and tt = i(7ri) (resp. tt = ^(772)), 

— an object Foralll such that (tt, a, 7 Ti)_a4 Gm Foralll if and only tt and tti 
are (encodings of Godel numbers of) proofs, a is (the encoding of the Godel 
number of) a proof variable, and tt = Aotti, 

— an object ExistsI such that (tt, t, 711)201 Gm ExistsI if and only if tt and tti 
are (encodings of Godel numbers of) proofs, t is (the encoding of the Godel 
number of) a term and tt = {t, tti). 

Notice also that, since 2 V 4 is a model of the comprehension scheme, there is 
an object Cr such that a Gm Cr if and only if a is a reducibility candidate (i.e. 
the set of objects /3 such that f3 Gm a is a reducibility candidate). 

Definition 12 (Admissible). An element a of M is said to admissible at level 
i if a is a set of pairs (tt, (3)m where it is a proof and (3 an element of Ui and 
for each (3 in Ui the set of it such that {tt,(3)m 01 is a reducibility candidate. 

Notice that if R is any reducibility candidate then the set RxMUi is admis- 
sible at level i. Hence there are admissible elements at all levels. 

Proposition 5. There is an element Ai in M such that a Gm if r^nd only 
if ex is admissible at level i. 

Proof. An element a oi Ai admissible at level i if and only if 
a Gm PM{Proof Xm Ui) 

AV/3 (/3 Gm 3C* (C Gm Fr A ((tt, j3 ) m o 4=> tt Gm C'))) 
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Hence, as is a model of the comprehension scheme, there is an element Ai in 
M such that a if only if a is admissible at level i. 

Notice that a G rAi if and only if a G Ai+i. Hence as Al is a model of the 
extensionality axiom, rAi = Ai^\. 

Notice, at last, that Ai p_M{Proof x_vi Ui) Qm pM(ui x_a 4 Ui) Qm 
Pm (pm (pm (tti))) C_v( Uj+i. 

Proposition 6. If (3 Gm Ai and a Gm Ai^i then the set of tt such that 
(tt, P) Gm cx is a reducibility candidate. 

Proof. As a Gm and P Gm Qm Ui+i, the set of tt such that (tt, P) Gm oc 
is a reducibility candidate. 

We are now ready to construct a pre-model J\f of the Stratified Foundations. 
The base set of this pre-model is the set N of elements of M that are admis- 
sible at level 0. We take Gjp {c(,P) = \ {t^tcPm tj3}- This permits to 

define the denotation of propositions built without Skolem symbols. To define 
the denotation of Skolem symbols, we prove the following proposition. 

Proposition 7. For every stratifiable proposition A in the language G whose 
free variables are among xi, . . . , x„, x„+i and for all a\, . . . , an in N , there exists 
an element b in N such that for every a„+i in N, (tt, On+pM if and only 

ifn IS in 

Proof. Let |A| be the proposition (read p realizes A) defined as follows. 

— \xi GXj\ = {p,Xi) G Xj, 

— \A ^ B\ = p G sn A \/q \/w Vr {{p,q) G red A {q,w,r) G impi) 

Vs [s/p] I A| Vt (t, s, w, r) G subst [t/p] |H|), 

— I A A H| = p G sn AVq \/r Vs {{{p,q) G red A {q, r, s) G andl) [r/p] | A| A 

~ |A V H| = p G sn A Vg Vr {{{p,q) G red A (g, r) G or/1) [r/p]|A|) A 

Vg Vr (((p, g) G red A {q,r) G or/2) [r/p]\B\), 

— |T| = p G sn, 

— |Vx A| = p G sn A Vg Vw Vr ((p, g) G redA ((g, w, r) G foralll) Vx Vy (x G 

Bs(x) A y G term) Vs ((s, w, y, r) G subst' [r/p, x/x] |A|)), 

— |3x A| = p G sn A Vg Vt Vr ((p, g) G red A {{q,t,i’) G existsi) 3x x G 

Es(x) [r/p^x/xWA])). 

Notice that the free variables of |A| are among term, subst, subst' , red, sn, 
impI, andl, or/1, or/2, foralll, existsi, p, Eq, . . . , Em, xi, . . . , x„, x„+i. Let 

(p = ai/ Xi, . . . , a^i/ Xji, an.\-\j Xn+i 

p = Term/term, Subst/ subst, Subst' /subst' , Red/red, Sn/sn, 

Impi /impi , Andl /andl, Orll/orll, OrI2/orI2, Foralll /foralll, Existsi / existsi , 
Aq / Eq , ... , Am /Em , X a\ / X\, . . . ,T Un/ Xn, X / X^^-j-i 

We check, by induction over the structure of A, that if A is a stratifiable 
proposition in the language G, then the set of proofs tt such that [|A|]^^^p = 1 

is 
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- If A is an atomic proposition Xi G xj, then kj = ki + 1, we have [|4l|]|^^/p = 

1 if and only if (tt, T^'ai)M &M if and only if r^'ai)M T^^o-j 

if and only if ai)M if and only if {'K,ai)M &M Taj if and 

only if 7T is in |A]^. 

- a A = B ^ C then we have = 1 if and only if tt is strongly 

normalizable and whenever tt reduces to Xa tti then for all tt' such that 

= 1 we have = 1 if and only if tt is strongly 

normalizable and whenever tt reduces to Xx tti then for all tt' in 
[7r'/a]7ri is in if and only if tt is in |A]^. 

- li A = B AC then we have = 1 if and only if tt is strongly 

normalizable and whenever tt reduces to then = 1 and 

1(7] ^^^/p = 1 if and only if tt is strongly normalizable and whenever tt 
reduces to then tti is in |-B|^ and 7T2 is in |(7|^ if and only if tt is 

in {Af^. 

- If A = B\/ C then we have I^]^^/p = 1 if and only if tt is strongly nor- 
malizable and whenever tt reduces to i{TTi) (resp. j( 7T2)) then |-B|;^^^^p = 1 
(resp. |(7|^^^yp = 1) if and only if tt is strongly normalizable and whenever 
TT reduces to i(7Ti) (resp. j(7T2)) then tti is in |B|^ (resp. I<7|^) if and only 
if 7T is in IA\^. 

-If7l = ±then [71];^^^/^ = 1 if and only if tt is strongly normalizable if and 
only if TT is in 

- if A = 'ix B, then = 1 if and only if tt is strongly normaliz- 

able and whenever tt reduces to Xx tt\, for all term t and for all c in M 
such that c &M Ak, = 1 if and only if tt is strongly 

normalizable and whenever tt reduces to Aa; tti, for all t and for all e in N, 
V\^W‘^+T’^e/x+[t/x]-Ki/p = 1 if only if tt is strongly normalizable and when- 
ever TT reduces to Xx tti, for all t and for all e in N, [t/x]TTi is in if 

and only if tt is in ItI]-^. 

- if A = 3xB, then I|t1|]^^/p = 1 if and only if tt is strongly normalizable and 

whenever tt reduces to (t, tti), there exists a c in M such that c Ak and 
II-B|l^c/a; [t/x\-Ki/p = 1 if and only if tt is strongly normalizable and whenever 
TT reduces to (t, tti), there exists a e in TV such that V\^W'^+T'^e/x+[t/x]TTi/p ~ f 
if and only if tt is strongly normalizable and whenever tt reduces to (t,7Ti), 
there exists a e in fV such that [t/a;]7ri is in if and only if tt is in 

lAt- 

Then, the model Ad is a model of the comprehension scheme. Hence, it is a 
model of the proposition 

MEo . . . MEAx/xi . . .Vx„ Vp Vx„+i (p, x„+i) € z {p, x„+i) G proof xU A\A\ 
Thus, for all a \, ..., a„, there exists an object bo such that for all a„+i 
\(jPiXn+l) G Z <t4> {p,Xn+l) G xU A |Tl|]^Proo//proo/.6o/z,Ufc„_^i + l/(7,7r/p = 1 
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We have (tt, T^”-+^a„+i)At bo if and only if tt is a proof, r^"+ia„+i 
Mfe„+i+i and [|^|l:^,r/p = 1- Thus {n,an+i)M &M r“'="+i6o if and only if 
a„+i ^^1 and tt is in |A]|^. We take b = and for all a„+i in N 

we have (tt, a„+i)^ rb if and only if tt is in Finally, notice that 6q is a 

set of pairs (tt, (5)m where tt is a proof and /? an element of and for each 

!3 in the set of tt such that {tt,(3)m &m bo is ,,,/p = 1> 

hence it is a reducibility candidate. Hence bo &m ^fe„+i+i and b is in N. 

Definition 13 (Crabbe’s pre-model). 

The pre-model JV = defined as follows. The base 

set is N. The function €j\f is defined above. The function fxi,...,x„,xn+i,A maps 
(ai,...,a„) to the object b such that for all a„+i in N, (tt, a„+i)^ rb if 
and only if tt is in |fA|^ , , , . 

Proposition 8. The pre-model M is a pre-model of the Stratified Foundations. 
Proof. If H is a stratifiable proposition in the language G, then 
TT is in |t,2_|_r G fx\....^Xn^Xn.\-\.A{tl^ . . . jtn)|(p 

if and only if 

(tt, Gtk Tfx^,...,Xr,,x„+^Altllv^---^l^^lv) 



if and only if 

TT is in . . . , t„/x„, 

Hence, \i A = B then A and B have the same denotation. 

Corollary 2. All proofs strongly normalize in the Stratified Foundations. 

Remark 1. As already noticed in |2|, instead of constructing the a pre-model 
of the Stratified Foundations within an automorphic w-model of Zermelo’s set 
theory, we could construct it within an oj-model of the Stratified Foundations. 
In such a model U, we can define recursively enumerable relations, because the 
Stratified Foundations contains enough arithmetic and comprehension. Then we 
can take the sequence Ui to be the constant sequence equal to w where rc is a 
universal set, i.e. a set such that a Gu w for all element a of the model. Such an 
object obviously verifies pu{pu{pu{w))) other words, we say that an 

element of U is admissible if it is a set of pairs (tt, [3)u where tt is a proof and 
for each f3 in U, the set of tt such that (tt,P) G^ a is a reducibility candidate. 
Proposition El becomes trivial, but we need to use the existence of a universal set 
to prove that there are admissible elements in the model and that there is a set 
A of admissible elements in the model. Hence, the difficult part in this pre-model 
construction (the part that would not go through for Zermelo’s set theory for 
instance) is the construction of the base set. 
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Conclusion 

In this paper, we have have shown that the Stratified Foundations can be ex- 
pressed in deduction modulo and that the normalization proof for this theory 
be decomposed into two lemmas: one expressing that it has a pre-model and the 
other that proof normalize in this theory if it has a pre-model. This second lemma 
is not specific to the Stratified Foundations, but holds for all theories modulo. 
The idea of the first lemma is to construct a pre-model within an w-model of 
the theory with the help of formal realizability. This idea does not seems to be 
specific to the Stratified Foundations either, but, its generality remains to be 
investigated. Thus, this example contributes to explore of the border between 
the theories modulo that have the normalization property and those that do not. 
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Abstract. We show how a simple semantic characterization of normal- 
ization by evaluation for the A/3,,-calculus can be extended to a similar 
construction for normalization of terms in the computational A-calculus. 
Specifically, we show that a suitable residualizing interpretation of base 
types, constants, and computational effects allows us to extract a syntac- 
tic normal form from a term’s denotation. The required interpretation 
can itself be constructed as the meaning of a suitable functional program 
in an ML-like language, leading directly to a practical normalization al- 
gorithm. The results extend easily to product and sum types, and can be 
seen as a formal basis for call-by-value type-directed partial evaluation. 



1 Introduction 

The basic idea of normalization by evaluation is to extract the normal form 
(with respect to some notion of conversion) of a term from its interpretation in a 
suitably chosen, quasi-syntactic denotational model of the conversion relation . 

For instance, let us consider the interpretation of a pure, simply typed 
lambda-term if in a model where all base types are interpreted as the set A of 
well-formed lambda-terms, and function types are interpreted as full set-theoretic 
function spaces. Then it is fairly simple to (at least informally) construct for any 
type r, a function n/i- G |r] — >■ A, such that for any closed term if : r in /jTy-long 
normal form, nfrilEj) =„ if. We proceed as follows: 

Let r = Ti —>■•••—>■ T„ 5 (n > 0), where each Tj = Tii —>■••• —>■ Tirm — t h- 
Then E : r must be of the form Xx\. ■ ■ ■ . Ax„. XiE\ ■ ■ ■ Erm where each Ej : Tij 
is again in normal form. We can thus define nfr inductively as: 

n/r = A/. LAM{vi , . . . , LAM{v„, 

f (Afli. • • • . Xa^^. APP{---APP(VARvi,nf^^^ ai) • • • , a™J) 

(Aoi. • ■ • . Xam„- APP {■■■APP {VAR v„, nfr„i ai) • ■ • , )) 

where the Vi are “fresh” variable names, and we use VAR, LAM , and APP for 
constructing elements of A, to distinguish them from function abstraction and 
application in the set-theoretic model. 

* Basic Research in Computer Science (www.brics.dk), 
funded by the Danish National Research Foundation. 

S. Abramsky (Ed.): TLCA 2001, LNCS 2044, pp. ISl-ESI 2001. 

@ Springer- Verlag Berlin Heidelberg 2001 
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Moreover, it is easy to see that nfril—J) i® ™ ^ normalization function: 

since /Jry-convertibility is sound for equality in all set-theoretic interpretations 
(and hence also in our chosen one), we have, for all terms E and E' , that E 
E' implies |if] = {E'] . So if if is the /3?7-long normal form of E, then nfrilEj ) = 
nfAim =a E. 

Finally, if we can also construct a syntactic term nf^. : r — >■ A such that 
^/r[£'l = [nfrifl, then nf,- if is a closed term of base type A, and can thus 
be executed as a functional program. This gives us a very efficient executable 
algorithm for computing normal forms, and was indeed one of the motivations 
behind the construction m- we are reducing the general problem of term nor- 
malization to a special case for which we already have a good solution. 

A natural question arises whether this semantic technique for normalization 
of lambda-terms is inherently tied to /fTy-conversion. Somewhat surprisingly, it is 
not: in the following, we show how the same idea can be used to normalize terms 
with respect to the computational lambda-calculus m, where it also extends to 
product and - more notably - sum types. In fact, we can systematically extract 
the computational normal form of any pure, typed lambda-term from only its 
observable behavior in an imperative functional language such as ML. 

Despite the relative simplicity of the construction, there are still a few techni- 
cal details to nail down, even in the purely functional case. Accordingly, we will 
first present in Section El the normalization algorithm for a call- by-name setting, 
then show in Section El how it can be refined to call- by- value. In Section 0 we 
show how to further extend the normalize!' with product and sum types, and 
in Section 0 we consider the relationship between normalization by evaluation 
and type-directed partial evaluation. Finally, Section Elconcludes and points out 
some directions for further work. 

2 Normalization by Evaluation for Call by Name 

The normalization construction sketched above, essentially due to Berger and 
Schwichtenberg has been studied in many formulations |S], including more 
syntactic variants |5| as well as category-theoretic ones m- In the following, we 
present it in a call-by-name functional-programming setting El ; this formulation 
extends particularly naturally to the call-by-value variant in the next section. 

2.1 Language and Semantic Framework 

Syntax. A signature S includes, first, a collection of base types b. The set of 
well-formed if-types r is then given by the grammar 

r ::= 6 I Ti -)> T 2 

Further, E assigns if-types to a (possibly infinite) collection of constants c. Let x 
range over variable names, and T be a finite assignment of i7-types to variables. 
Then the set of well-typed Fl-terms E \~s E : t is again given by the usual rules: 

E{c) = T r{x) = T r, x: Ti \- s E ■. T 2 r hi; : n — ^ T 2 r hi; E 2 : n 
E\-sC:t r\-sX-.T r\-s Xx'^\E : ri rj 



F hi; El E2 : T2 
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Finally, a E -program is a closed i7-term of base type. 

Semantics. For concreteness, and to accommodate the refinements in Section 0 
we consider only a specific, domain-theoretic framework, but the results also 
adapt easily to a set-theoretic setting, by forgetting the order structure. 

We work in the setting of (bottomless) epos and (total) continuous func- 
tions. We also use the concept of a monad (more precisely, a Kleisli triple) 
T = (r, 77 ,*), where T maps epos to epos, pA & TA is the unit function, 
and -kA.B S TAx (A^TB)^TB is the extension operation written backwards, 
i.e., with the function last; this makes longer sequences of extensions easier to 
read. We omit the subscripts on units and extensions where they are clear from 
the context. A particularly important instance is the lifting monad, 7i, where 
T'A = A± = {la I a S A} U {_L} with the usual ordering, a = ta, E id f = _L, 
and (io) id f = fa. 

An interpretation I of a signature A is a pair of functions {B, C). B assigns to 
every base type & in A, a epo B{h). This assignment determines for any A-type 
r, a pointed (i.e., containing a least element) epo |rp as follows: 

\bf = T^B{b) |ri ^ = Inp ^ [rap 

where A^ B denotes the epo of all continuous functions between A and B. We 
also give meaning to a type assignment A as a finite product: 

irf = rixGdomr[^(a;)F = {p I Va; e dom Rpx G [A(a;)p} 

The function C assigns to every A-constant c an element C(c) G |A(c)]^. 
Again this assignment extends to a full semantics of terms: for any B hs E : r, 
we define a continuous function [Ap G |Ap — >• |rp in the usual way: 

[epp = C(c) [AxLApp = \a.lEf{p[x^a]) 

{xfp = px lEiE^fp = IAipp([A 2 pp) 

Equivalence and normal forms. We say that two A-terms E and E' are se- 
mantically equivalent, written \= E = A', if for all interpretations I of A, 
|Ap = |A'p. It is easy to see that if A E' then p A = A'. More gener- 
ally, if Int is a subset of all possible interpretations of A (e.g., constraining the 
meanings of some of the constants), we write A = A' iff for all I G Int, 
|Ap = |A'p; we will return to this notion in Section 

Among the well-typed terms A \~s E : t, we distinguish those in normal and 
atomic (also known as neutral) form: 

r\^ E-.b A, x: Ti F' A : T2 

A F* A : 6 A F*' A : n ->■ t2 

Ejx) = r A(c) = r A F* Ai : n T 2 A F^ A 2 : n 
r\^ x:t r\^ c:t AF‘AiA2:t2 

A normalization function, in the sense of Coquand and Dybjer 0 (but with a 
semantic notion of equivalence), then maps any term A to a normal- form term 
norm{E), such that p norm{E) = A, and such that for all A' with p A' = A, 
norm(E') = norm{E). 
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2.2 A Normalization Result 

The traditional way of computing norm{E) is by repeated /3-reductions, possibly 
followed by ry-expansions. However, we can also compute norm by a subtler, 
semantic method, reduction-free normalization. 

Representing lambda-terms. Let V be a set (= discrete cpo) of explicitly typed 
variable names, and E a set suitable for representing lambda-terms, i.e., allowing 
us to define injective functions with mutually disjoint ranges, 

CST edomS^E, VAReV^E, LAMgVxE^E, APPgExE^E 

Then for any term E with variables from V, we define its representation ^E^ G E 
in the obvious way, e.g., '^Xx.ET = LAM {x^^ET). Because of the injectivity and 
disjointness assumptions, for any e € E, there is at most one E such that ^E^ = e; 
we need not require that all elements of E represent well-formed lambda-terms, 
let alone well-typed ones. 

(We deliberately use a very concrete representation of terms, rather than a 
higher-level notion based on abstract syntax with binding constructs such as 
ra- Our ultimate goal is to implement the normalization process as a simple 
functional program, without assuming potentially expensive operations, such as 
capture-avoiding substitution, as primitives.) 

The task is now to construct an interpretation I,, of E such that we can 
recover E’s normal form from [Ep'. We want to use the idea from the intro- 
duction, but need to account rigorously for “fresh” variable names. Freshness 
could be captured abstractly in a framework such as Fraenkel-Mostowski sets 
m, but this again removes us a level from a direct implementation. Instead, 
we will explicitly generate non-clashing variable names. Perhaps the simplest 
scheme for doing so is through de Bruijn levels lam, but we adopt instead a 
scheme for generating “globally unique” , gensym-style names using a monad, as 
it scales better to the constructions of the next section. 

Auxiliary definitions. We first define the name-generation monad Tg. This is just 
a state-passing monad atop 7i; the state is the “next free index”: 

= N — r*(A X N) rf a = Xi.rf {a,i) t f = Xi.ti X{a,i')- f ai' 

With respect to T®, we can define an effectful computation that generates a fresh 
name, and one that initializes the index within a delimited subcomputation: 

newr G T^V withctA G T^A — >■ T*A 

newr = Xi.rf {g1 ,i -\- 1) withctAt = tO ** A(a, i'j.ry'a 

where the gf G V are assumed distinct for distinct i. Note that the codomain of 
withctA is simply T*A, i.e., withct t represents a side-effect-free, purely functional 
computation, for any name-generating computation t. 
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The residualizing interpretation. We can now define a suitable residualizing in- 
terpretation Ir = (SrjCr)- For Br we take, for all base types b in S, 

B,{b) = rSE 

Formalizing the construction from the introduction, we further define, for 
any i7-type r, a pair of functions commonly called reification and reflection: 

V e [rf ' ^ T«E 
= Ae.e 

( E4i? w)))) Ae.ry® (L^M (u, e)) 

tr e TSE ^ |rf ^ 

tb = Xe.£ 

tn-s-ra = Ae.Aa.tra (s Xe. a Xe' {APP {e, e'))) 

(It may be helpful, on a first reading, to think of Tg as just the identity monad, 
and neWr as “magically” generating fresh variable names; then the reification 
function simplifies to precisely the construction of nf sketched in Section E) 
Finally, we define the residualizing interpretation of constants by 

Cflc) e lS{c)fx Cflc) = ti:(c) {vHCSTc)) 

The normalization function. To extract the syntactic normal form from the 
residualizing meaning of a term, we only need to supply a starting index for 
name generation. We can thus define an extraction function: 

nfr S iTp' — >■ T*E, nfr = Xa. withctE cl) 

Finally, we define the (potentially partial) syntax-to-syntax function norm on 
closed terms hi; E : r by 

norm{E) = E iff (|Ep' 0) = 77 * 

(We can find normal forms of open terms by explicitly lambda-abstracting over 
their free variables. The closed-term formulation leads to a particularly natural 
implementation, as sketched below.) 

Theorem 1 (CBN semantic normalization). Let hi; E : t be a closed E- 
term. Then (0) E = norm{E) is defined, (1) ^ f'’ (^) = (^) 

for all hi; E' : t such that \= E' = E , norm(E') = E. 

If we already know that any Af-term has a unique (up to a-conversion) flrj- 
long normal form, the proof is fairly simple, using the argument sketched in the 
introduction. However, it is also possible to prove the theorem directly, using a 
suitable Kripke logical relation between the meanings of terms in the residualiz- 
ing interpretation and in an arbitrary one I, with the base relation taken as 
the denotational meaning function. The details (for a more general setting, as 
sketched in Section 0 can be found in HH. 
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A normalization algorithm. The normalization function described above can be 
effectively computed as a program in any PCF-like functional language. The 
key idea is to express the residualizing semantic interpretation as a syntactic 
realization of all base types and constants in S in terms of types and terms 
of the programming-language signature Hpi, giving a substitution , such that 
Likewise, for any if-type r, we construct a term nf,- such 
that Inf^-pp' 0 = nf^.. Then for any closed if-term hi; E : t, we can compute its 
normal form by evaluating the Hpi-program “nfT- Again, the details can 

be found in HU. 

3 Normalization by Evaluation for Call by Value with 
Effects 

We now refine the normalization result to a language based on Moggi’s computa- 
tional lambda-calculus Ac which provides a semantic framework for ML-like 
languages where “functions” may have effects such as mutating the state, per- 
forming input/output operations, or raising exceptions. 

3.1 Language and Semantic Framework 

Syntax and semantics. The syntax of types is the same as before. For terms, we 
also add a let-construct, with the usual typing rule: 

r \~E El ■. Ti r,x:Ti hi; E 2 : T2 
r \~E let X = El m E2 : T2 

Now an interpretation I of a signature E consists a triple {B,T,C). As before, 
B assigns epos to base types of E. The new component T = (T, 77, *) is a monad 
used to model computational effects. These could be just divergence (modeled 
with the lifting monad), but also state, exceptions, continuations, etc.; the actual 
effectful operations are invoked through suitable constants from E. 

We need to assume that T is layered atop T\ nm; this amounts to requiring 
that TA is pointed for any A, and that \t.t-kf S TA ^ TB is strict for any 
/ S A^TB. The CBV semantics of types is then given by: 

Mv = ^{b) In ^ = InJv ^ T’lnJv 

The meaning of a typing environment, [T]J, is a (dom T)-indexed product of 
the meanings of the individual types, as before. 

For the semantic function C, we again require that for any c £ dom E, C(c) £ 
|A7(c)]J. Then we define the meaning of a well-typed term E \~x: E : t as a 
continuous function |F]J £ |T]J — >• T|r]J, as follows: 

[c]vP = g{C{c)) [Xx'^.E^^p = g{Xa.lEj^{p[x^a])) 

\x\lp = g{px) \EiE2llp = \Ei}lp*Xf.lE2\lp*Xa.fa 

|let a: = Fi in ^2]^ p = \Ei\^ p * Xa. |F2]v {p[x 1-^ a]) 

Note that the let-construct appears redundant, because |let x = Ei'm if2]v P = 
\{Xx.E 2) Ei\y, p, but including it enables a nicer syntactic characterization of 
normal forms. 
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Equivalence and normal forms. Analogously to the CBN case, we write |=v E = 
E' if for all I, \E\^ — |A']J. The shape of normal forms is now somewhat 
different, however: instead of normal and atomic forms, we have normal values 
and normal computations: 

E{c) = b r{x) = 6 r,x:ri\^ E :t 2 

rrc:b rrx:b EF' Xx'"\E :ti^T 2 

rr E:t E{c) = ri T 2 E T E : n E, x: T 2 E’ : t 
rFE:r E riet X = cE in E' : T 

E(x') = Ti — >■ T2 E 't' E : t\ E, x: T2 E' \ t 

E\^ let x = x'E inE' :t 

That is, a normal value is either a base- typed constant or variable, or of the 
form Xx. let cci = /i Vi in • • • let Xn = fnVn in V where all the l^s are normal 
values, and each fi is a function-typed constant or variable. 

The set of normal-form terms is similar to Flanagan et al.’s A-normal forms 
ira- However, their notion of A-reduction does not include even restricted j 3 - 
conversion, so a term such as {Xx. x) y is already A-normal. (Nor does it include 
?7-like let-conversions: both f x and let y = f x iny are A-normal.) A much closer 
match is Ohori’s language of cut-free A-normal sequent proofs ca, but still with 
one important difference: since we also care about uniqueness of normal forms, 
a variable is only a normal value in our sense if it is of base type; function-typed 
normal values must always be syntactic lambda-abstractions. 

3.2 A Normalization Result 

Term representations. Corresponding to the extended source syntax, we also 
assume given an additional constructor function LET G V xExE— ;►£, injective 
and with range disjoint from the others. The representation function for terms 
is also extended in the obvious way. 

Residualizing monad. For constructing the residualizing interpretation, we now 
also need to pick a residualizing monad %. It is easy to see that we cannot simply 
use the lifting monad here, even if we only care about “purely functional” call- 
by-value languages, i.e., interpretations with T taken as lifting. The reason is 
that the two normal- form terms Ei = Xf^^^.Xx^.let y = fx in x and E2 = 
Xf^^’’. Xx’^.x are not semantically equivalent: for any T where T is the lifting 
monad, we only have lEiJ^ C [^2 ]^ P (with the strictness of the inequality 
demonstrated by application of both sides to Aa. T). But ^Ei %. '^E2, so there 
can be no monotone (let alone continuous) function nf : |( 6 — ;> 6 )— — >-Ej^ 
such that n/(|Ei]^'^ 0 ) = y^^Ei' and n/(|E2p''0) = ■q'^E2 , if we require to 
use only the lifting monad to interpret computational effects. 

Indeed, looking at the shape of normal computations, we see that the residu- 
alizing monad most allow us to register exactly where and when a function-typed 
constant or variable was applied, even if its return value is never used. We will 
show that it suffices that 7 ( can be equipped with operations 



bindr G E ^ T'V and collect G T^E ^ T^E 
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satisfying the equational constraints 
collect {rf e) = rf e 

collect {bind T e -k^ f) = newr Xv. collect {f v) Xe .rj^ {LET {v,e,e')) 

These equations ensure that a T“'E-computation consisting of a sequence of calls 
to bind followed by returning a term has the effect of wrapping that term in a 
corresponding sequence of LETs: 

collect {bind n ei Awi.- • • bindr^ {cnVi ■ ■ ■ v„-i) T \Vn.rf {evi ■ ■ ■v„)) = 

newri Xv„.r)^ {LET («i, ei, • • • LET («„, e„ ni • • • v„-i,evi ■ ■ ■ v„))) 

To view TS-computations as special cases of T’'-computations, we will also need a 
monad morphism from Tg to Tr, i.e., a collection of functions 7 ^’"^ G T®A— >-r'h4, 
such that 'y^^'^{r]^a) = rf a and 7 ®’'' (t /) = j^^'^tk^ {f a). We can 

construct a monad with these operations in several ways, notably including the 
following two: 

The eontinuation monad with answer domain T^E. We take: 

T^A = {A^ r*^E) T®E 7*5’^ t = XnAk^^ k 

a = Xn.na bindr e = Xn.neWr k^ Xv. nv k^ Xe' {LET {v,e,e')) 

tk'^ f = Xn.t{Xa. f ok) collect t = tp^ 

This continuation-based wrapping of syntactic bindings was originally used for 
an “administrative-reduction free” continuation-passing transformation jSj, and 
later adapted for a similar purpose in type-directed partial evaluation [Z]- It is 
notable for also allowing an extension of CBV NBE to sum types (see Section Ej). 

The accumulation monad ouer the monoid of {'V xEi) -lists. Writing [] for the 
empty list, [— ] for a singleton list, and @ for list concatenation, we take: 

T'^A = T^{Ax (VxE)*) t (a, []) 

p^ a =7®(a, []) bindr e = neWr k^ Xv.p^ {v,[{v,e)]) 

t k'^ f = t k^ X{a,l). f a k^ X{b,l').p^ {b,l @ I') collect t = t A(e, /). 7® {-wrap I e) 

with the auxiliary function wrap : (V x E)* — E — E defined inductively as 

wrap [] e = e wrap ([(?;, e')] @ 1) e = LET {v, e' , wrap I e) 

This choice is a refinement of state-based TDPE Hi; see the end of this section 
for a brief account of the relationship between accumulation and state. Other 
constructions are also possible, such as accumulation with respect to the monoid 
(E — y E, o). 

Residualizing interpretation. For the residualizing interpretation, we again in- 
terpret all base types of E as syntactic lambda-terms; this time, however, we do 
not need to involve the name-generation monad yet, but simply take: 



Br{b) = E 



Normalization by Evaluation for the Computational Lambda-Calculus 



159 



For any definition of % satisfying the equational constraints on bind and collect, 
we can then define new reification and reflection functions: 

4,*" = \e.ife 

\u (;^ollect (tn ( Fdi? u) Ao./a (4L^ fe)) Ae. 

rf {LAM (v, e)) 

t6 = Xe.rj’^e 

tTi-»T 2 = Xe.rf {Xa.-f^’'^ {iL^ a) M Xe' .bind-r^iAPP {e,e')) iA \v.'[t 2 {VAR v)) 

(The codomain of fr is T’'|r]J', rather than simply I'tJJl to accommodate the 
extensions in Section 0) Note in particular how every construction of an APP- 
term is wrapped in a bind. 

Finally, as for call by name, we interpret all if-constants as reflected CST- 
constructors: 

Cr(c) e |r(c)]J', Cr(c) = a, where ts{c)iCST c) = a 

(Cr(c) is well defined, because the reflection function factors through the injective 
7]^.) We also define the extraction function essentially as before: 

nfr £ — >■ T'E, nfr = Aa. withctE (i^ a) 

and the CBV normalization function for a closed value (constant or lambda- 
abstraction) E as 

norm,j{E) = E iff nfr a = where |i?]v'0 = r]’^ a. 

(We can find the normal form of a non- value term by wrapping a dummy lambda- 
abstraction around it.) 

Theorem 2 (CBV semantic normalization). Let \~s E : t be a value, and 
take E = norm,j{E). Then (0) E is defined, (1) E \ t, (2) \=„ E = E, and 
(3) if E' = E then norniv{E') = E. 

The proof is similar to the CBN case, but using a pair of mutually inductively 
defined logical relations, one for values and one for computations. Very roughly, 
one again establishes that the residualizing and the arbitrary interpretations of 
all terms are related, and that for a pair of related values (a, o') £ ItIv' x I^Iv 
the I-meaning of a equals o'. 

A normalization algorithm. Phrasing the normalization function as a functional 
program is a bit more complicated than for the CBN case. A typical CBV host 
language will have its own notion of effects, modeled by some monad Tpi, which 
is not likely to be exactly our residualizing monad 7(. However, much as we can 
embed the normalization algorithm into a host language with a signature much 
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larger than what we need for the construction, we can realize both the residual- 
izing and the name-generating monad through a uniform effect- embedding into 
a more general notion of effect in the host language m- 

For example, the accumulation-based choice of % can be easily (and more 
efficiently) implemented by passing around the bindings accumulated so far in 
a mutable state cell, rather than appending the bindings from both subcom- 
putations in -k. The current name-generation index is naturally kept in another 
cell. An analogous, but somewhat more involved, construction also allows us to 
simulate % taken as a continuation monad, provided the host language provides 
both (higher- typed) state and first-class continuations, as found in Scheme or 
SML/NJ. The resulting implementation forms the basis of the CBV normaliza- 
tion algorithm used in the context of type-directed partial evaluation ■ 

4 Structured Data Types 

In this section, we consider normalization for the call- by- value language extended 
with product and sum types. (Adding products to the call-by-name language is 
trivial, but it does not appear possible to add even weak sum types, at least in 
the domain-theoretic semantics.) 

Syntax. We extend the set of types by two new type constructors: 

r ::= • • • I n X T2 I Ti -k T2 

(The generalizations to n-ary (n > 0) products and sums are completely straight- 
forward and thus omitted.) The associated new terms are: 

r \~E El ■. T\ r hi; E2 ■ T2 r \-e E ■. Ti X T2 r,Xl\ Ti,X2'.T2 \~s E' \ T 
r hi; {El, E2) : Ti X T2 E \~s split {E, xi. X2- E') : r 

r \~E E \ Tl r hi; E : T2 

r hi; inl(i?) : n -h T2 F hi; inr (F) : n -h T2 
r \~E E ■. Tl -\- T2 r,Xi: Tl \~S El : T r, X2'. T2 \~e E2 ■ t 
r hi; ca.se {E,xi. El, X2- E2) ■ t 

(Instead of split, we could have used explicit projections, but the characteriza- 
tion of normal forms becomes more uniform with split. In practice, the separate 
split-construct above is usually folded into pattern-matching let- and lambda- 
bindings.) 

Semantics. The semantics of the type constructors is standard: 

[ti X T 2 lv = In]v X [t- 2 ]v = {(01,02) I ai e |n]v,a 2 £ [nlv} 

In + T2lv = In]v + [n]v = (no | a e IniJ} u (120 | a e [nlvj 

as is the semantics of the associated terms: 

[(Fi, i?2)]v P = p ★ Aai. [i?2]v P * ,^02. p (oi, 02 ) 

[split (F,a:i.a;2.£’')]vP = \E\f, p k \{ai,a2).[E'\f {p[xi ^ ai,X2 ^ a2\) 
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[inl(E)]vP 

Iinr(£')]Jp 



lease -E 2 )]vP 



|i?]vP* Aa.p(tia) 

|i?]v p* Aa.p(t2ffl) 

[El] J (p[a;i 



|^lvP*As. 



[Ealv (p[®2 



■ fli]) if s = ti ai 

■ 02]) if S = i2Cl2 



Normal forms. With the addition of product and sum types, CBV normal forms 
exhibit a striking similarity with cut-free proofs in Gentzen-style intuitionistic 
sequent calculus, as also noted by Ohori El- In fact, we also get the usual 
sequent-calculus inconvenience of having to make arbitrary choices about the 
order in which we apply left-rules to decompose the types of variables. To keep 
normal forms unique, we choose to eliminate structured-type variables imme- 
diately as they are introduced, in a stack-like manner. (Immediate elimination 
leads to a slight anomaly for constants introduced by the signature: we can only 
allow E to declare constants of base and top-level-functional types. In the rare 
cases where we need, e.g., a sum-typed constant c : ti -I- T 2 in E, it can be 
provided as a function cf : 1 ^ ti + T 2 where 1 is the zero-ary product type.) 

We now have three mutually recursive notions of normality: normal values 
E P if : T, normal computations E E : r, and normal bodies F \ 0 E : t, 
where & is an ordered list of typing assumptions: 



E{c) = b r{x) = 6 E I a:: n P** E : T 2 

rrc:b rrx:b FF' Xx'"\E ■.ti^T 2 



rr El :ti e r E2 : t 2 rr e -.Ti rr e -.t2 

r r (El, E2) : ri X T2 EF''inl(E):ri-bT2 E F" inr (E) : n + T2 

rr E :t E{c) = n T2 rr E -.ri E | x: rz F** E' : r 
rr E -.T E P let X = cE in E' : r 

F{x) = Ti — >■ T2 F r E \ Ti E I x: T2 F*’ EG r 
rr let X = x'E in E' : T 

E F' E : r E, x: 6 | 0 F^ E : r E, x: n ra | 0 F** E : r 

E| r E-.r r\e,x-.br E -.T E I 0, x: Ti ->■ T2 F*’ E : T 

E I 0,Xi:ti,X2:t2 F'’ E : t E | 0, Xi: n F^ Ei : r E | 0, Xa: ra F'’ Eg : r 

E I 0, x: Ti X Ta F*" split (x, xi. xa. E) : r E | 0, x: n-l-ra F*" case(x, xi. Ei, xa. Ea) : r 

Note how newly-introduced variables are put into the quarantined context 0, 
where their types are decomposed and the pieces migrate back into the ordinary 
context E. In particular, without the rules for product and sum types, the new 
definitions of normal values and computations agree exactly with the original 
ones. 



Normalization by evaluation. We show only how the continuation-based resid- 
ualizing interpretation can be extended. Products could be added to an 
accumulation-based interpretation without too much trouble, but sums appar- 
ently require the full power of applying a single continuation multiple times. 

We assume the syntax-constructor functions for E are extended with func- 
tions PAIR, SPLIT, INL, INR, and CASE with the obvious types. Then we can 
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define additional helper functions analogous to hindr from before: 

£ E-^T"(V X V) 

= Ae. Ak. neWri Xvi. new r2 Aw2 - k(wi, ^2) \e .rf [SPLIT (e, v\,V2,e)) 

hindSri,T 2 £ E— >-r*^(V + V) 

= Ae. Ak. newri Xvi. new t2 Aw2- «;(ti vi) Aei. K(t2f2) Ae2. 

( C'AS'E (e, vi , ei , U2 , 62) ) 

and the corresponding cases for the reification and reflection functions, extending 
the ones from Section El 



= A(ai, ai Aei.J,^^ 02 Xe2-rf‘ [PAIR (ei, 62)) 






T1+T2 



= As. 



4,'^^ ai Aei.?7® (/Aiei) ifs = tiai 
02 Xe2.rf‘ [INRe2) if s = 1202 



triXTa = Ae. bindp^^.^^ e*“' A(wi, «2).tTi ( E 4 i? m) Aoi-fra [VAR V2) -V Xa2.rf (01,02) 

tri ( E 4 i? wi ) if s = n «i 
tra ( VAR V2) if S = t2 V2 



tri+T2 = Xe. binds Ti, T2 eV Xs. 



The residualizing interpretation is as before. (Note that we cannot give a resid- 
ualizing interpretation to constants of top-level product or sum type, since the 
reflection function does not factor through 77’’ in these cases.) The normalization 
function and Theorem 0 remain the same. For the implementation, the realiza- 
tions of bindp, binds, and the new clauses for reification and reflection in terms 
of continuation-manipulating primitives are straightforward. 



5 Type-Directed Partial Evaluation 

A primary application of normalization by evaluation is for type-directed partial 
evaluation (TDPE) (Z]. The goal is to simplify a partially applied function of 
multiple arguments by propagating the values of the known arguments through- 
out the body of the function. Here, in addition to eliminating / 3 -redexes, we also 
want to simplify occurrences of constants, such as arithmetic operations, when 
they are applied to literal values. In other words, we now want to normalize 
terms with interpreted base types and constants. There are in fact two natu- 
ral ways to achieve this, both expressible in terms of the notion of constrained 
interpretations: 

Ojfiine TDPE. For offline TDPE |3 Section 3 ] , we say that a program is binding- 
time separated if it is expressed over a signature E partitioned into a static and 
a dynamic part. Eg and E^, each containing some type and term constants. 
The interpretation is likewise partitioned into Is and Id ■ We then constrain the 
allowable interpretations so that Ig is always the standard interpretation (i.e., 
int as Z, -I- as addition, fix as the domain-theoretic least fixed point, etc.), while 
the dynamic part remains completely unconstrained. That is, we consider the 
notion of static equivalence, E = E' where Intg = {I \ I\s^ = Is]- When 

the static normal form if of a term E exists, it is then equivalent to E with 
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respect to all interpretations of X'd. The residualizing interpretation of E, like 
any interpretation in /ntg, also uses the standard interpretation of ifs, and the 
syntax-reconstructing interpretation from Section l3.2l for 1^- 

The separation allows us to realize the static part of the signature com- 
pletely natively in terms of the corresponding construct of the programming 
language, and in fact we can use syntactic conveniences of the host language, 
such as pattern matching or letrec-forms directly for the static computations. 
It also becomes possible to self-apply the partial evaluator (the so-called second 
Futamura projection) m- 

Online TDPE. In the online variant [3 Section 4], like in general online partial 
evaluation, we do not annotate types, nor most occurrences of constants, with 
their binding times. Instead, the partial evaluator “opportunistically” propagates 
statically known data and performs reductions such as 2 -|- 3 — >■ 5. 

This corresponds to normalizing with respect to the set Int^ of interpretations 
{B,C) that satisfy constraints such as C(-l-) (C(2),C(3)) = C(5), and possibly also 
additional ones, such as C(-l-) (x, C(0)) = x for all x in B(int). Again, the standard 
interpretation of C(-l-) satisfies these constraints automatically. The residualizing 
one includes explicit checks for the reducible cases, to avoid constructing the 
corresponding redexes in the generated code. This formulation is similar to recent 
work on merging the reduction-free normalization of function abstraction and 
application with explicit reduction rules for constants 0. 

The advantage of the online approach is that we do not have to explicitly 
separate the binding times in the source program, but correspondingly it becomes 
less predictable how much of the source program can be simplified at partial- 
evaluation time. An online normalizer also requires all primitive operations to 
explicitly check whether their arguments are literals (so the operation can be 
eliminated) or more general expressions (so the operation must remain in the 
normal form), slowing down the specialization process somewhat. Finally, fixed- 
point operators must still either be explicitly classified as static or dynamic, 
or need some ad hoc mechanism for deciding whether their unfolding equation 
should be applied. 

In both cases, the normalization function may be partial, i.e., without part 
(0) of Theorems Q] and El This is unavoidable, since in the presence of recursion, 
some terms simply have no normal form. However, for the CBN case, one can 
still show that when it is defined, E satisfies parts (1-3), and also that whenever a 
E satisfying (1-3) exists, norm{E) is defined EJ- The situation for CBV TDPE 
has not been fully analyzed yet, although it seems reasonable to conjecture an 
analogous result. 

In any case, the semantic treatment of TDPE allows us to uniformly analyze 
the construction and state its correctness criterion independently of the details 
of its implementation. That is, we can think about partial evaluation in terms of 
normalization with respect to a class of interpretations, without worrying about 
whether the normalization is achieved through repeated reductions, or through 
reduction-less normalization by evaluation. 
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6 Conclusions and Future Work 

We have seen that the same basic idea that allows us to compute normal forms 
of lambda-terms with respect to purely functional interpretations also allows us 
to compute such normal forms with respect to general computational interpre- 
tations. In both cases, we chose a “quasi-syntactic” interpretation of the types 
and constants, and in the latter, also a binding-accumulating monad as the in- 
terpretation of computational effects. Both variants of semantic normalization 
can be phrased as functional-program evaluation, although the construction is 
significantly more involved in the computational case. 

An important application of the normalization construction is type-directed 
partial evaluation, which seeks to compute normal forms not with respect to 
all interpretations of a signature, but only with respect to a subset of those; 
different choices of such subsets lead to offline and online partial evaluation. The 
offline, call- by-name case is analyzed in isolation in an earlier paper PH, but the 
more general constrained-interpretation formulation presented here seems worth 
investigating further, especially since it also leads to natural TDPE formulations 
of other partial-evaluation concepts, such as polyvariant program-point special- 
ization expressed as suitable constraints on the recursion operator. 

Additionally, it should be possible to obtain a syntactic analog of the CBV 
normalization result, showing that the computed normal form is not only equiv- 
alent to the original term with respect to arbitrary set-, or domain-theoretic in- 
terpretations, but is provably equal to it using the axioms of the computational 
lambda-calculus [ll 6j . However, it seems that the semantic characterization may 
be ultimately more convenient for reasoning about programs, since it seems to 
scale more directly to partially constrained interpretations, and especially static 
recursion. 
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Abstract. This paper proves the non-derivability of induction in second 
order dependent type theory (AP2). This is done by providing a model 
construction for AP2, based on a saturated sets like interpretation of 
types as sets of terms of a weakly extensional combinatory algebra. We 
give counter-models in which the induction principle over natural num- 
bers is not valid. The proof does not depend on the specific encoding 
for natural numbers that has been chosen (like e.g. polymorphic Church 
numerals), so in fact we prove that there can not be an encoding of nat- 
ural numbers in AP2 such that the induction principle is satished. The 
method extends immediately to other data types, like booleans, lists, 
trees, etc. 

In the process of the proof we establish some general properties of the 
models, which we think are of independent interest. Moreover, we show 
that the Axiom of Choice is not derivable in AP2. 



1 Introduction 

In second order dependent type theory, XP2, we can encode all kinds of inductive 
data types, like the types of natural numbers, lists, trees etcetera. This is usually 
done via the Bohm-Berarducci encoding (see [Girard et al. 198li| for a general 
exposition), which yields e.g. the well-known polymorphic Ghurch numerals as 
interpretation of the natural numbers. This encoding already works for non- 
dependent second order type theory (the well-known polymorphic A-calculus 
A2), but dependent types give the extra advantage that we can also state the 
induction principle for the inductive data types. For example, if nat is the type 
of polymorphic Ghurch numerals with zero 0 and successor function succ, then 
the induction principle is represented by the type ind defined as 

ind :=iIP:nat-A * .{PO)-^{Uy:nat.{Py)-^{P{succy)))^nx:nat.{Px) . 

Here, * denotes the ‘kind’ (universe) of all types, which captures both the sets 
(nat : *) and the propositions (ind : *). The induction principle for nat is said to 
be derivable in \P2 if there is a closed term of type ind. 

In this paper we show that the induction principle for nat is not derivable in 
XP2. As a matter of fact, we prove something stronger: the non-derivability of 
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induction does not depend on the specific choice of the encoding of the natural 
numbers: given any (closed) type N with 0 : N and s : N^N, there can be 
no closed term of type UP-.N^ * .(PO)^{IIy:N.(Py)^(P{sy)))^nx:N.(Px). 
This rules out any ‘smart’ encoding of the natural numbers (like the N above) 
for which induction would be provable in XP2. What a ‘smart encoding’ could 
possibly look like, see the small diversion below in 11.11 

It should be pointed out here that, of course, inductive reasoning can easily 
represented in XP2 by ‘relativizing’ all statements about nat to the inductive 
natural numbers. If we let Ind x say that x is an ‘inductive natural number’, 
defined in XP2 as follows, 

Ind X := 77P:nat— * .{PO)^{IIy:nat.{Py)^{P{succy)))^{Px), 

we can relativize IIx:nat.ip to 7Ta;:nat.(lnd x)^(p. Then one can reason by induc- 
tion, just because all statements about nat are restricted to the inductive natural 
numbers. However, this does not give us an inductive type of natural numbers. 

Our result extends immediately to other inductive data types, so induction 
is not derivable for any encoding of any inductive data type in XP2. Also we 
show in this paper that the induction principle for one data type can not be 
derived from the induction principle for another data type. The results extend 
immediately to other systems like the Calculus of Constructions (without induc- 
tive types) . In [Streicher llWIj , also a non-derivability induction result is proved, 
using a realizability semantics, but only for one specific encoding of the natu- 
ral numbers, as polymorphic Church numerals. Our proof of non-derivability 
uses a fairly simple model construction which originates from | |Ceuvers 19!J6| 
and l ^tetanova and Ceuvers 1996| . The model we construct has some similari- 
ties with the one used in [Herardi to justify encoding mathematics in the 

Calculus of Constructions. To establish our main result we construct a model in 
which the type that represents induction is empty. 

Apart from the induction principle we also show the non-derivability of the 
Axiom of Choice. 



1.1 Small Diversion: A Possible Smart Encoding of the Naturals 

One may wonder whether there are other ‘smarter’ encodings of the natural 
numbers for which induction is provable. In this subsection we suggest a possible 
different encoding of the naturals. Our final result implies that induction is also 
non-derivable for this representation. Let us define 

N := 3a;:nat.(lnd a;), 

with Ind x saying that x is an ‘inductive natural number’, defined as above. Now 
the ‘inductivity’ of the natural numbers is ‘built in’ in their encoding. (3 is 
defined in the well-known second order way: 3x\(j.t := Ila:* .{IIx:<j.T^a)^a.) 
By using the definable 3-elim and 3-intro rules, it is now easy to define 0, succ 
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for this encoding: 

0 := Aa : *.A/i:(7Tx:nat.(lnda;)— 

succ := An:-/V.n-/V(Ax:nat.Ap:(lnd x). 

\a: -k .A/i:(77y:nat.(lndy)— >-Q!)./i(succ x)(qsuccXp)) , 

where qo and qsucc are terms such that qo : (Ind 0 ) and 

9 succ : 7Tx:nat. (Ind x)—:^(lnd (succ x)). One may wonder whether the induction 
principle is derivable for the type N . It is not the case, which can intuitively be 
grasped from the fact that there is no ‘coherence’ among the possible proofs of 
Ind X. (There are many possible proofs of Ind 0, which are not all captured.) 



2 Second Order Dependent Type Theory 



The system of second order dependent type theory, AP2, is an extension of 
the polymorphic A-calculus with dependent types and it was first introduced in 
IILongo and Moggi 1988| . It can be seen as a subsystem of the Calculus of Con- 
structions ( [Coquand and Huet 1988| , jCoquand 1990| ), where the operations of 
forming type constructors are restricted to second order ones. (So, one can quan- 
tify over type constructors of kind cr— >■*, but one can not form type constructors 
of kind (cr— >■*)—>■*.) It can also be seen as an extension of the first order system 
AP, where quantification over type constructors has been added. For an extensive 
discussion on these systems and their relations, we refer to [Barendregt 1992| or 
I jCeiivers 19Hd| . Here we just define the system AP2 and give some initial moti- 
vation for it. 



Definition 1. The type system AP2 is defined as follows. The set of pseudo- 
terms, T, is defined by 

T ::= * I Kind | Var | (PVar:T.T) | (AVar:T.T) | TT, 



where Var is a countable set of variables. On T we have the usual notion of f3- 
reduction, — We adopt from the untyped X-calculus the conventions of denot- 
ing the transitive reflexive closure of — >0 by — ^,3 and the transitive symmetric 
closure of — W -/3 by =p. 

The typing of terms is done under the assumption of specific types for the 
free variables that occur in the term. This is done in a context, a finite sequence 
of declarations P = vp.Ti, . . . ,Vn'.Tn (the v are variables and the T are pseudo- 
terms). Typing judgments are 

written as T \- M : T, with P a context and M and T pseudo-terms. 

The deduction rules for AP2 are as follows, (v ranges over Var, s, si and S 2 
range over {*, Kind} and M,N,T and U range over T .) 



{axiom) F * : Kind 



{var) 



P h T : */Kind 



PhP:*/Kind PhM:P 

{weak) 



r,v.T'^v:T 



P, u:T h M : P 
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T h T : Si r, w:T h [7 : S2 



if (si, S 2 ) ^ (Kind, Kind) 



r h nv.T.U : S2 

r,v:T'r M -.U F \~ nv.T.U : s 



(A). 



r h Xv.T.M : nv.T.U 



T'^M-. nv.T.U rhiV:T T'rM\T T 'r U : s 

(°'PP) ^ r.r,./ 1 {conv/3) ifT=pU 



T h MN : U[N/v] 



r\- M :U 



In the rules (var) and (weak) it is always assumed that the newly declared variable 
is fresh, that is, it has not yet been declared in T. For convenience, we split up 
the set Var into a set Var*, the object variables, and Var*^'"'*, the constructor 
variables. Object variables will be denoted by x,y,z, . . . and constructor variables 
by a,j3,. . .. In the rules (var) and (weak), we take the variable v out 0 / Var* if 
s = ★ and out 0 / Var*^'"^ if s = Kind. 



We call a pseudo-term M well-typed if there is a context F and another 
pseudo-term N such that either F \- M : N or F \- N : M is derivable. The 
well-typed terms can be split into the following disjoint subsets: 

— {Kind}, 

— the set of kinds: terms A such that F \- A : Kind for some T; this includes ★. 
In XP2 all kinds are of the form Fxi'.ai . . . 7Txn:cr„.*, with cti, . . . ,(Jn types 
and xi, ... ,Xn G Var* . 

— the set of constructors: terms of type a ‘kind’, i.e. terms P such that F \- P : 
A for some kind A; this includes the types, terms of type *. 

In XP2 all constructors are of one of the following forms 

— a € Var , 

— Ft, with P a constructor and t an object, 

— Xx'.a.P, with a a type, P a constructor, x G Var*, 

— nx:a.T, with a and r types, x G Var*, 

— na:A.T, with A a kind, r a type, a G Var*^'"^. 

— the objects: terms of type a ‘type’, i.e. terms M such that F \- M : a for 
some type cr. In XP2 all objects are of one of the following forms 

— X G Var*, 

— qt, with q and t an objects, 

— qP, with P a constructor and q an object, 

— Xx'.a.t, with cr a type, t an object, x G Var*, 

— Xa:A.t, with A a kind, t an object, a G Var'^'"'^. 



Convention. We denote kinds by A, B,C, . . ., types by cr, r, . . ., constructors by 
P,Q,. . . and objects by t,q, 

If v is not free in U, we denote - as usual - Pv.T.U by T^U. In arrow types, 
we let brackets associate to the right, so T^T^T denotes T— >-(T— J-T). In ap- 
plication types, we let brackets associate to the left, so MNP denotes {MN)P. 
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Data types and formulas in XP2. The well-known encoding of inductive data 
types in polymorphic A-calculus extends immediately to XP2. For the general 
procedure we refer to fClirard et ai. 19^ . Here we give some examples. It is also 
standard that these inductive data types come together with the possibility of 
defining functions by iteration. We do not discuss the iteration scheme, as it is 
outside the scope of this paper. We do give, for each data type the associated 
induction principle. In this paper we show that the induction principle for natural 
numbers is not provable in XP2. However the same method applies immediately 
to other data types, like the ones given below. 

1. The natural numbers can be encoded by nat := Ila: * .a— >-(a— >-a)— >-a, with 
zero and successor: 



0 := Xa: * .Xx:a.Xf:a^a.x, 
succ := An:nat.Aa: * .Xx:a.Xf:a^a.f{naxf). 

The induction principle reads 

indnat := nP:nat~> * .{PO)-^{ny:r\at.{Py)^{P{succy)))^IIx:nat.{Px). 

2. The list over a given carrier type a can be encoded by lister := fla: * 
.a— >-a— >-a, with empty list and ‘cons’ map: 

nil := Xa: * .Xx:a.Xf:a^a^a.x, 
cons := Aa:cr.A/:listo..Ao:: * .Xx:a.Xf:a^a^a.fa{laxf). 

As we are in XP2, we can not define list as a type constructor list := Aa: * 
.listo, : *—>■*, simply because the kind is not available in XP2. For 
simplicity we write list for list^ if the a is clear from the context. 

The induction principle reads 

indiist :=7TP:list— * .{Pn\\)-^lJa:a.ny:\\st.{Py)-^P{consay)))^nx:\\st.{Px). 

3. The well-founded labeled trees of branching type r and with labels in a can 
be encoded by treercr := flQ::*.(cr— to)— >-(r— >-a)— >- q;, with maps leaf 
and join (taking a label and a ‘r-sequence’ of trees and returning a tree): 

leaf := Xa:a.Xa: * .Xx:a^a.Xf:a^{T^a)^a.xa, 

Join := Xa:a.Xt:T-^treeTa-Xa: * .Xx:a^a.Xf:u^{T^a)^a.fa{Xz:T.tzaxf). 

The remark about not being able to define list : *— >•* also applies to tree. We 
omit the indices in tree if no confusion arises. The induction principle reads 

indtree UP'-tree-^ * .(77a:cr.(P(leafa)))—>' 

{na:a.IIy:T-^tree.{nz:T.{P{yz)))^{P{} 0 [nay)))^nx:tree.{Px). 

There is a formulas- as- types embedding from constructive second order pred- 
icate logic into XP2. 
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3 Model Construction for XP2 

The model notion for XP2 we give is not a general (categorical) one, but a 
description of a class of models, which is the same as in [(leuvers 199Ii| . It can 
be extended to a class of models for the Calculus of Constructions, which is done 
in jStefa,nova a,nd delivers Ibheij. 

The models of XP2 are built from weakly extensional combinatory algebras 
(weca for short). A combinatory algebra (ca for short) is a tuple A = (A, -jk, s), 
with A a set, • a binary function from A x A to A (as usual denoted by infix 
notation), k,s G A such that (k-a)-6 = a and ((s-a)-5)-c = (a-c)-(b-c). For A a 
combinatory algebra, the set of terms over A, T{A), is defined by letting T{A) 
contain infinitely many variables vi,V 2 ,--- and distinct elements Ca for every 
a G A, and letting T{A) be closed under application (the operation •). Given a 
term t and a valuation p, mapping variables to elements of A, the intei^reta- 
tion oft in A under p, notation |t]p , is defined in the usual way (|Ca]^ = a, 

= |M])^ • |A])^, etcetera). An important property of cas is that they are 
combinatory complete, i.e. if t[u] G T(A) is a term with free variable v, then there 
is an element in A, usually denoted by A*t>.<[w], such that yx{{X*v.t[v]) ■ x = t[x]) 
in A. (More technically, this means that |(A*u.f[u]) • x\^ = |t[a;]])^ for all p.) A 
ca is weakly extensional if ~ p 2 lp(a,.=a) for all a G A implies that 

|A*x.ti]^ = |A*a;.t 2 ])f- In other words: a ca is weakly extensional if abstrac- 
tion is a function on the weca (T(A), -,k,s), i.e. if (in T{A)) t\ = t 2 , then 
X*x.ti = X*X.t 2 - 

The need for weakly extensional cas comes from the fact that we want 
M=pN^ = ([A^^ for all p, 

where ([— ])p interprets pseudo-terms as elements of A, using a valuation p for 
the free variables. Of course, ([— ])p is close to |— ]^, except for the fact that now 
we also have to interpret abstraction: under ([— ])p, A is interpreted as A*. 0 

Example 1. 1. A standard example of a weca is A, consisting of the classes 

of open A-terms modulo /3-equality. So, A is just A//3 and [M] = [A] iff 
M =p A. It is easily verified that this yields a weca. 

2. Given a set of constants C, we define the weca A(C) as the equivalence 
classes of open Ac-terms (i.e. lambda-terms over the constant set C) modulo 
/3c-equality, where the c-equality rules says 

cA =c c Xv.c =c c 



for all c G C and A G Ac- 

3. Another example of a weca is 1, the degenerate weca where A = 1, the one- 
element set. In this case k = s, which is usually not allowed in combinatory 
algebras, but note that we do allow it here. 

^ In general, for cas, M = N A = ([AJ)^ (e.g. take combinatory logic and 

M = X, N = Ix). However, for wecas this implication holds. 
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The types of XP2 will be interpreted as subsets of A. 

Definition 2. A polyset structure over the weakly extensional combinatory al- 
gebra A is a collection V C p(A) such that 

1. AgV, 

2. V is closed under arbitrary intersection P], 

3. V is closed under dependent products, i.e. if X € V and F : X ^ V, then 
Ilt^xFft) € V, where Ut^xFit) is defined as 

{a £ A I Vt £ X{a ■ t £ F{t))}. 

The elements of a polyset structure are called polysets. If F is the constant 
function with value Y, we write X^Y instead of Ilt^xY ■ 

Example 2. 1. We obtain the full polyset structure over the weca A if we take 

V=p{A). 

2. The simple polyset structure over the weca A is obtained by taking V = 
{0, A}. It is easily verified that this is a polyset structure. 

3. Given the weca A(C) as defined in Example ^ (so C is a set of constants), 
we define the polyset structure generated from C by 

V:={X C A{C) I A = 0 V C C A}. 

To show that V is & polyset structure, the only interesting thing is to verify 
that V is closed under dependent product. So, let A £ P and F : X ^ V. 
We distinguish cases: if A = 0, then IIt^xF{t) = A(C) £ V\ if F(t) = 0 
for some t £ A, then IIt^xF{f) = 0 £ P; in all other cases C C IItexF(t), 
because for c £ C and < £ A, ct =c c £ C C F{t), so ct £ F{t). 

4. Given the weca A and a set CCA such that Va, b £ A(a • & £ C a £ C, 
we define the power polyset structure of C by 

P := {A C A I A C G V A = A}. 



To check 

that this is a polyset structure, one only has to verify that, for X G V 
and F : X^V, Ilt^xFff) £ V. This follows from an easy case distinction: 
Vt £ X{F{t) = A) or 3t £ X{F{t) C C). 

An interesting instance of a power polyset structure is the one arising from 
C = HNF, the set of A-terms with a head-normal-form, in the weca A/ (3. 

The dependent product of a polyset structure will be used to interpret types 
of the form IIx'.a.T, where both a and r are types. The intersection will be used 
to interpret types of the form Ua\A.a, where ct is a type and A is a kind. To 
interpret kinds we need a predicative structure. 

Definition 3. For V a polyset structure, the predicative structure over V is the 
collection of sets Af defined inductively by 
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1. VeJV, 

2. If X gV and Vi G X{F{t) G M, then Htex ^ 

If F is a constant function with value V, we write X^V in stead ofYltex'^- 



Definition 4. If A is a combinatory algebra, V a polyset structure over A and 
Af the predicative structure over V, then we call the tuple {A,V,M) a XP2- 
model. 

The predicative structure over a polyset structure V is intended to give a 
domain of interpretation for the kinds. For example, if the type a is interpreted 
as the polyset X, then the kind cr— i-a— is interpreted as riiex n,ex for 
which we usually write X^X^V . 

We now define three interpretation functions, one for kinds, V(— ), that maps 
kinds to elements of Af, one for constructors (and types), |— ], that maps con- 
structors to elements of IJAf (and types to elements of V, which is a subset 
of (JAf) and one for objects, ([—]), that maps objects to elements of the com- 
binatory algebra A. All these interpretations are parametrized by valuations, 
assigning values to the free variables (declared in the context). 

Let in the following A4 = {A,V,Af) be a AP2-model: A = (A,-,k,s) is a 
combinatory algebra, P is a polyset structure over A and Af is the predicative 
structure over the polyset structure V. 

Definition 5. A constructor variable valuation is a map ^ from Var*^''''^ to IJ Af. 
An object variable valuation is a map p from Var* to A. 



Definition 6. For p an object variable valuation, we define the map ([— ])^ from 
the set of objects to A as follows. (We leave the model AA implicit.) 



([4p 


= P{x), 








([f^Dp 


= ([%• 


fcDp 


if q is an 


object, 




= ([f])p> 


ifQ 


is a constructor. 


{[Xx:a.t])p 


= ^*^-([f])p(x: 




a type, 


([Xa:A.t])p 


= ([f])p> 


if A 


is a kind. 





Definition 7. For p an object variable valuation and f a constructor variable 
valuation, we define the maps V(— )^ and |— ]^ respectively from kinds to Af 
and from constructors to [JAf as follows. (We leave the model AA implicit.) 

V(*)?p := V, 

V(7Tx:a.P)5p := J] V(P)5p(,,=*), 

*6 W{p 

H?p := C(«)> 
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lna:A.Tj^p-= Pi if a is a kind, 

a^V{A)^p 

inx-.a.Tj^p := if a is a type, 

lPt\p ■■= 

lXx:a.Pj^p ■- Xt e H5p.I^l«p(:.:=t)- 

Note that V(A){p and |-P]^p niay be undefined. For example, in the definition 
of |Pt]jp, ([t])p may not be in the domain of iJ^ljp, in the definition of |i7a;:cr.r]^p, 
|cr]^p may not be a polyset and in the definition of V{IIx:a.B)^p, |tr]^p may not 
be defined. From the Soundness Theorem m it will follow that, under certain 
natural conditions for ^ and rho, V(^)jp and l^’ljp are well-defined. 

Definition 8. For F a XP2-context, p an object variable valuation and ^ a 
constructor variable valuation, we say that p fulfills F , notation f, p \= F , if 
for all X € Var* and a G Var^'"'^, x : a G F => p{x) G Mjp a : A G F => 
e(a) G V{A)^p. 

It is (implicit) in the definition that |= F only if for all declarations 
x'.a G F, IcJjp is defined (and similarly for a: A G F). 

Definition 9. The notion o/ truth in a AF2-model, notation and o/ truth, 
notation ^ are defined as follows. For F a context, t an object, a a type, P a 
constructor and A a kind of XP2, 

F^^ t-.a ify^,p[^,p h ^ ^ (M)p e H^p], 

F^^P: A im, p[C, p^r^ I^l^p e V(7l)^p]. 

Quantifying over the class of all XP2-models, we define, for M an object or a 
constructor of XP2, 

F\= M :T if F \=-^ M : T for all XP2-models M. 

Soundness states that if a judgment F \- M : F is derivable, then it is true 
in all models. It is proved ‘model-wise’, by induction on the derivation in XP2. 

Theorem 1 (Soundness). For F a context, M an object or a constructor and 
T a type or a kind of XP2, 

F \- M : T ^ F \= M : T. 

Example 3. Let be a weca. 

1. The full XP2-model over Ais M = {A,V,N), where V is the full polyset 
structure over A (as defined in Example El). 

2. The simple XP2-model over A is JA = {A,V,Af), where V is the simple 
polyset structure over A. (So V = {0, A}.) 

3. The simple AF2-model over the degenerate A is also called the proof - 
irrelevance model or PFmodel for XP2. 

4. For C a set of constants, the XP2-model generated from C is defined by 
M = {A{C),V,J\f), where V is the polyset structure generated from C. 
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4 Non-derivability Results in \P2 

We now show that the induction-principle is not derivable in AP2 by constructing 
a counter-model. We first introduce some notation and then we study some 
specific models and their properties. 

In a logical model, validity of a formula means that the interpretation 
of ip is true in the model. In a type theoretical model, we call a type valid 
if its interpretation is nonempty. This conforms with the ‘formulas-as-types’ 
embedding from PRED2 to XP2, where a formula is interpreted as the type of 
its proofs. (Hence, a formula is provable iff its associated type is nonempty.) 

Definition 10. For M a \P2-model, P a context, cr a type in P and val- 
uations such that p 1= P, we say that a is valid in A4 under p, notation 
M,^,p cr, if 

Mtl ^ 0 - 

In case the model M is clear from the context, we omit it. Similarly we omit f 
and/or p if they are clear from the context or if the specific choice of f or p is 
irrelevant (e.g. in case of a closed type a). 

So, to prove the non-derivability of ind in AP2, we are looking for a AP2- 
model A4 such that 

M ind. 

Definition 11. A \P2-model A4 is consistent if$GV. 

For a AP2-model, being consistent is equivalent to saying that |_L] = 0, 
because |_L] is the minimal element (w.r.t. C) of V. Here, _L is defined as usual 
as Ila: * .a. 

Note that the polyset structures of Example 0 all yield a consistent AP2- 
model. 

Convention 12 From now on we only discuss consistent \P2-models. 



Definition 13. In a \P2-model A4 = {A,V,N) we define the ‘connectives’ _L, 
-I, A, V and 3 as follows. (X, Y gV, F : X^V and Yi G P for all i G I; as in 
types, we let brackets associate to the right.) 

XAY -.= /\z^.p{X^Y^Z)^Z, XyY 
3^^xF{x) :=n ze'pl^xexF{x)^Z)^Z, dig/Ej 

Note that, due to the assumptions on a polyset structure, these are all elements 
ofV. 



176 



H. Geuvers 



Remark 1. The definition of is close to the union. If we define the elements 

F and G of the weca A by f := X*x.xl and G := \*xh.hx (where I denotes the 
identity in A: I skk), then F S and G e Uie/ 

even with F oG = ^ Note however, that IJjg j Yi need not be an element of 
but we do have = 0 O IJze/ 

Lemma 1. The following holds in arbitrary (eonsistent) \P2-models M.. 



“■A = 0 A y^ 0, 


(1) 


A^A yf 0 i/ A y^ 0 then A y^ 0, 


(2) 


X AY X andY 


(3) 


AVAyf0<t^Ayf0 or Ay^0, 


(4) 


3x^xF{x)^%^3tGX{F{t)^%), 


(5) 


3,^iY,^%^3iGl{Y,^%), 


(6) 


nx^xF(x) y^ 0 ^ Vt G X{F{t) ^ 0), 


(7) 


Pi y, ^ 0 ^ Vt G /(A, y^ 0). 


(8) 



iei 



Proof. We reason classically in the meta-theory of the models (otherwise in 
(2) and in (4)-(6) are problematic). 

(1) follows immediately from _L = 0 (i.e. the consistency of the AP2-model). 

For (2), => is immediate. For <^=, we distinguish cases: if A 0, then T 0, say 
q € Y, and hence X*x.q € X^Y; if A = 0, then X*x.x € X^Y. For (3), =>: 
M G X AY, then Mk S A and M (ki) € Y (where i is the identity in the weca, 
i := skk). if Mi G A, M 2 G Y, then X*h.hM\M 2 G X AY . 

For (4), =>: let M G A V A and suppose X = Y — Then Maa G% {a G A arbi- 
trary), contradiction. So A y^ 0 or A y^ 0 <t=: if M G A, then X*hg.hM G A V A 
and similarly for M G A. 

For (5), =^: let M G 3j,^xF{x) and suppose Vx G A(F(x) = 0). Then 
M{X*x.X*y.y) G 0, contradiction, so 3x G X{F{x) yf 0). <^=: If g G F{t) for 
certain t G X, then X*h.htq G 3x^xF{x). 

(6) follows from Remark ^and (7) and (8) are immediate. 

Remark 2. The reverse implications in LemmalD cases (7) and (8), do not hold in 
general. A counterexample can be found by looking at the full polyset structure 
over A = A. Define F : A-aV by F(t) = A \ {t}. Then F(t) y^ 0 for all t G A. 
Now suppose M G IIx^xF{x). Then Mt y^ t for all t G A, but this is not 
possible, since M has a fixed point. This contradicts the reverse implication of 

(7) . If we consider immediately find a counterexample to the 

reverse implication of (8). 

^ In a weca A, composition is defined as usual by a o b — X*x.a ■ {b ■ x). 

® The example Ps of Example 0 are all closed under arbitrary union and at this 
moment we don ’t know of any P that is not closed under unions. However, Definition 
13 does not a priori require a P to be closed under union. 
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Lemma 2. For a simple \P2-model over A the reverse implications in Lemma 
Q cases (7) and (8), hold. Similarly for a \P2-model generated from a set C . 

Proof. Case (8) is immediate: Hig/ can only be empty if one of the Yi is empty. 
For (7), if for all t & X , Ft ^ then there is an element q such that Vt G X{q G 
Ft) (this is a peculiar feature of these models) and hence X*x.q G FltexFt. 



Lemma 3. All \P2-models satisfy classical logic, i.e. 

—'—'X^X 0 



for all X G P in all \P2-models. 

Proof. We reason classically in the models, using Lemma[Il Let X G P. If X 0, 
say t G X, then -^-^X^X y^ 0, because e.g. X*x.t G -i-<X^X. If X = 0, then 
—'X = A, so ~i~'X — 0, so “'“'A — yX = A. 

Remark 3. It is not the case that rixGP“'“'A— y^ 0 in all AP2-models. In fact 
we have the following. 

1. In the full AP2-model over A, rixGP“'“'A— = 0. 

2. In simple AP2-models or models generated by some C, Ax^v^^X^X y^ 0. 

The first is proved by defining Xi = {xi} for all! G IN (with, of course all Xi 
different). Then -'-•Xi = A. Now, suppose M G C\x^v~'~'X^X . Then for any 
A G A, we find that Vi G IN(MA G Xf), i.e. MN =fs Xi for all i, which is not 
possible, as MN contains only finitely many free variables. 

The second is proved by noticing that, in these models there is an element P such 
that X ^ ^ P G X. Hence X*x.P G nxgp“'“'A— >-A, following the reasoning 

in the proof of Lemma 0 

Equality is defined in XP2 using Leibniz equality: for a : *, M, N : a 

M=^N := nP-.a^i. .{PM)^{PN). 

In case the type is clear from the context, we often do not write it as a subscript 
in the Leibniz equality. The notion of ‘Proof-Irrelevance’, meaning that for any 
type CT, all terms of type cr are equal, is defined by PI := 77a: * .TTx, y.a.x =a y. 

Lemma 4. Given a XP2-model M, a type a and terms M, N : a, we have 

Proof =>: Suppose L\Q^^„j^-pQ{[M]) ^^Q{[N]) ^ y^ 0. Take Q such that Qx y^ 0 
iff a; = Then it is the case that Q([A]) y^ 0, hence ([M])^ = ([A])^. 

If = ([A])^, then Q([M])^ = Q([A])^, so A*a:.a; G 

c Q G |(t] -J.-P Q ([ A7]) p -)> Q ([ A]) p . 
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Corollary 1. A4 \\= PI ^ A4 is the Pl-model. 

In this paper we focus especially on the induction principle for (an arbitrary 
encoding of) the natural numbers. We therefore characterize when a AP2-model 
satisfies induction for the natural numbers. 

Definition 14. Given a closed \P2-type N and closed terms 0 : N and S : 
N^N, we define the type indjv^o.S by 

nP-.N^ * .PQ^{nx:N.Px^P{Sx))^nx:N.Px. 



Lemma 5. For M = {A,V,M) a \P2-model, 

Ih indiVAS ^ [iVl = {^"0 I n G N} 

If, moreover, the test-for-zero and the predecessor function are definable on the 
type N in the model A4, then also 

|iV] = {5"0 I n G N} hindAT.o.s- 

Proof. For simplicity, we denote the interpretations of N, 0 and S in the model 
just by N, 0 and S. Suppose M indAr,o,s- Then 

QO^{IIt^NQt^Q{St))^IIteNQt 0. 

Qf^N^V 

Let X be some non-empty element of V . Define Q : N^V as follows: Qt = 
X ii t = S'"0 for some n G IN and Qt = % otherwise. Then QO yf 0 and 
IIt^NQt^Q{St) yf 0 , hence nt^^Qt yf 0 , say M G Ilt^NQt. Now, suppose 
q G N with q y^ S'"0 (for all n G N). Then Qq = % but also Mq G Qq, 
contradiction. So all q G fV are of the form S'"0. 

For the reverse implication, suppose that the test-for-zero and the predecessor 
function are definable in the model and suppose that N = {S'"0 | n G N}. 
To prove that — y(^Ht^NQt — yQ{St)) — vUt^j^Qt yf 0 , let Q G N — 

arbitrary and let Z G QO, F G IIt^NQt^Q{St). We are looking for an element 
of iT(g AfQt, which is given by an H which is a solution to 

Hx = if Zero(a:) then Z else F{x — l){H{x — 1)). 



This 

can be obtained by taking for H a fixed point of X*hx.if Zero(x) then Z else 
F{x — l){h{x — 1)). Note that we need the test-for-zero and predecessor to be 
able to define this H. 



Theorem 2. Induction over the natural numbers is not derivable in XP2 for 
any type N and terms 0 : N, S : N^N. 
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Proof. In the simple AP2-model over A (see Example 01), the interpretation of N 
is A. So, using the Lemma, we conclude that indjv,o,S is not valid in the model 
and hence ind 7 v,o,S is not inhabited in XP2. 

As can be observed from the proof, the non-derivability of induction in XP2 
is not caused by the fact that the logic of XP2 is constructive, logic. Note that, 
taking the Pl-model in the proof of the Theorem does not work, because then 
I A] = 1 = {^"O I n G N}, so we do not obtain a counterexample. 

The arguments of Lemma 0 and Theorem El also apply to other data types 
like lists and trees and even to a finite data type like the booleans. So, induction 
is not derivable for any data type. 

Remark 4- It is in general not the case in XP2 that the induction principle for 
one data type (say the natural numbers) implies the induction principle for 
another data type (say booleans). For a counterexample consider the context 
r — N : 0 : A, S' : A— >-A, h : ind^v.o.S and the AP2-model {A{C),V,Af), 

where C = {S"(0) | n G N} (so the S”(0) are considered as constants) and V is 
the polyset structure generated from C. (See Example El) 

Now, take valuations f and p with ^(A) = C, p(0) = 0, p(S) = S and 
p(h) = X*zfx.O. Then p(h) € [indAr,o,sl^p: 

X*zfx.O G QO— >-(77tg(y(5t— ^(5(St))— 

Qec^v 

because for Q G C— iP, Z G QO, G G IIt^cQi^Q{St) and t € C, we find that 
t = S"(0) (def of C) and for all n G N, Q(‘S'"(0)) 0 (induction on n, using Z 

and G), so 0 G Qt. We conclude that f,p\= P. 

So, M,^,p 11= indAT^o.S- On the other hand, for any closed type B (the 
‘booleans’) with closed terms T : B and F : B, |S] D {([E]), ([T])}, so induction 
over booleans is not valid. 

One may wonder what happens with the counterexample in the proof of 
Theorem E| if we add induction over natural numbers to XP2 as a primitive 
concept, together with the associated reduction rules. Let’s take a closer look at 
this situation. 

We extend XP2 with a type constant A and term constants 0 : A, S' : A— >■ A, 
R : nP-.N^ * .{PQ)^{IIy.N .Py^P{Sy))^IIx\N ,{Px). Furthermore we add 
reduction rules 

RPzfO — >r z and RPzf(Sx) — >r fx(RPzfx). 

To make a model of this extension of XP2 we have to give an interpretation to 
the constants in such a way that the equality rule for R is preserved. For A (that 
we used in the counter-model of 0 , this can be achieved by adding primitive 
constants 0, S and R to A, with the reduction rules 



RzfO — z and Rzf{Sx) — >r fx{Rzfx). 
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Let’s denote this extension of A-calculus (it is a weca) by A+. (So we interpret 

0 by 0, S' by S' and R by R) Now consider the simple A+-model determined 
by the polyset structure {0, A} and notice that it is not a model of this \P2 
extension, because ind^v.o.S is empty in this model (so we can not interpret R). 

We give one more non-derivability result in AP2, based on our models. 

Lemma 6. There are closed types cr, r and a relation R : u^r^-k in XP2 for 
which the Axiom of Choice, {IIx\a3y\T.Rxy)^{3f\u^T.nx\a.Rx{fx)), is not 
derivable. 

Proof. The counterexample is similar to the one in RemarkO Take a = t = nat 
and Rxy := x yfpat y and consider the simple AP2-model over A = A. Now 
M 11= IIx:a.3y:T.Rxy, because this is equivalent to (using Lemmas □ and ^ 
Vt G A3q G A(t q). On the other hand, M. y= 3f-.a^T.IIx\a.Rx{fx), because 
this is equivalent to the statement 3g G AVt G A{gt t), which is not possible, 
because every element of A has a fixed point. 

The proof of non-derivability of the Axiom of Choice bears a strong simi- 
larity to a proof in [Barendregt 19731 , credited originally to Scott, showing that 
classical Combinatory Logic extended with the Axiom of Choice is inconsistent. 

Acknowledgments. Thanks to the referees for pointing out some mistakes 
in the original manuscripts and suggesting several improvements. Furthermore 

1 want to thank Thierry Coquand for raising the question of derivability of 
induction in XP2 and for some valuable discussions on the topic. 
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Abstract. We introduce an extension of Parigot’s A/r-calculus 

where disjunction is taken as a primitive. The associated reduction rela- 
tion, which includes the permutative conversions related to disjunction, 
is Church- Rosser, strongly normalizing, and such that the normal de- 
ductions satisfy the subformula property. From a computer science point 
of view, may be seen as the core of a typed CBN functional 

language featuring product, coproduct, and control operators. 



1 Introduction 

During this last decade, several authors have investigated the relation existing 
between functional control operators, on the one hand, and normalization proce- 
dures for classical logic, on the other hand. This research originated in Griffin’s 
observation m that Felleisen’s control operator C |8I9| may be typed with the 
classical tautology -i-ia — )> a. 

Griffin’s discovery resulted in lot of work aiming at extending the Gurry- 
Howard correspondance m to the case of classical logic 11 121416111 11 bUTimTn 
ESI. On the proof-theoretic side, the problem consists in defining a classical natu- 
ral deduction system together with an appropriate proof normalization procedure 
such that the resulting normal deductions satisfy the subformula property. This 
ensures that proof normalization may be interpreted as an evaluation process. 

In fact, it appears a posteriori that the line of research opened by Griffin 
may be traced back to Prawitz who shows how to normalize deductions in 
the presence of the following classical absurdity rule: 



— (^c) 

a 

In order to obtain the subformula property, Prawitz restricts the use of Rule 
Tc to the case where a is atomic. Then he shows how to transform any deduction 
in order to fulfill this requirement. For instance, any application of Rule Tc whose 
conclusion is an implication may be transformed as follows: 



S. Abramsky (Ed.): TLCA 2001, LNCS 2044, pp. 1S2- ITO1 2001. 
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( 1 ) 

-/3 



( 2 ) 

cx — ^ [3 



( 3 ) 

a 



[-(a ^ /?)] 

: ni 

_L 

cr — ^ P 



reduces to 



_L 



n(a P) 
: ni 
_L 

- (1) 



( 2 ) 



P 



cx — y /3 



( 3 ) 



( 1 ) 



It is worth noting that this reduction, which dates back to 1965, is strongly 
related to Felleisen’s operator C. Indeed it corresponds precisely to the following 
rewriting rule: 



C{Xk.M) Xn.C {Xk. M[k:=Xf. k if n)]), 

which is reminiscent of one of Felleisen’s rules 0. 

Prawitz gives similar rules for conjunction and the universal quantifier. For 
disjunction, however, there is a problem. Indeed, restricting the application of 
Rule J_c to the case where its conclusion is atomic would imply, in the presence 
of disjunction, the existence of a universal decision procedure. A similar prob- 
lem arises with the existential quantifier. Consequently Prawitz does not take 
disjunction and existential quantification as primitives. 

A way of circumventing this problem is to observe that reductions akin to (1) 
are only needed when the conclusion of Rule J_c is the principal formula of an 
elimination rule. In the case of implication, this idea gives rise to the following 
reduction scheme: 



( 1 ) 



( 2 ) • U 2 

a ^ P a 

P 



[-(a ^ P)] 

: ni 

_L 

a ^ P a 

~P 



H2 

reduces to 



_L 

-.(a -)> P) 

: ni 




( 2 ) 



(2) 



which is used by both m and m. and which amounts, modulo some additional 
/3-contraction steps, to Parigot’s /i-reduction Applying the same idea to the 
case of disjunction yields the following figure: 
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[-(aV/3)] 

•^M«] [P] 

; h 2 '113 

aV P 7 7 

7 



[a] [P] 

(2) • II2 I II3 

otV P -1 7 

“■7 7 

( 2 ) 

-^{aWP) 

: ni 

reduces to — (1) (3) 

7 



which corresponds precisely to one of the reduction rules proposed in m . Reduc- 
tion (3), however, is not sufficient to solve the problems related to disjunction. 
Indeed, in order to obtain the subformula property, one also needs the so-called 
permutative conversions m Consequently, normalization procedures for full 
classical logic i2n might be rather intricate since they involve three kinds of 
reduction steps: 

— the usual detour conversions of intuitionistic natural deduction, 

— conversions related to Rule 

— permutative conversions related to disjunction. 

In the present paper, we revisit this problem from a type-theoretic point of 
view. Our main contribution is the definition of an extension of the A/i-calculus 
such that: 

(a) intuitionistic disjunction — i.e., coproduct — is taken as a primitive; 

(b) normal deductions satisfy the subformula property; 

(c) the reduction relation is defined by means of local reduction steps 0 

(d) the reduction relation is proven to be strongly normalizing; 

(e) the reduction relation is Church-Rosser; 

(f) the reduction relation is defined at the untyped level0 

(g) the reduction relation satisfies the subject reduction property. 

Properties (e), (f), and (g) are of special interest from a programming language 
perspective. Property (e) ensures the unicity of the normal forms, which allows 
the reduction relation to be considered as the core of an operational semantics. 
Properties (f) and (g), on the other hand, allow the typing information to be 
ignored at run time. 

^ By a local reduction step, we mean a rewriting rule that is compatible with the term 
formation rules, i.e., a rewriting rule s — >■ t such that C[s] — >■ C\t] independently of 
the shape of the context C. 

^ From a proof-theoretic point of view, it means that the proof normalization steps 
are defined on the shape of the derivations, according to the inference rules that are 
used and without any proviso on the formulas that are introduced or eliminated. 
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To the best of our knowledge, there is no classical extension of the simply 
typed A-calculus (or equivalently, no normalisation procedure for classical natu- 
ral deduction) that enjoys all of the above properties. In particular, neither (d) 
nor (e) are satisfied by m- The handling of the permutative conversions in m 
does not satisfy (c) and (e), while the handling of classical negation does not 
satisfy (f). Finally, in the extension of Xa that satifies (a) does not satisfy 

(b). 

In a series of paper , Ritter, Pym, and Wallen introduce an extension 

of the A/i-calculus that also features disjunction as a primitive. Their system is 
rather different from ours because they take as primitive a classical form of 
disjunction that amounts to -lA — )> B. Nevertheless, in Pym and Ritter 
give a brief account of another extension of the A/i-calculus with an intuitionistic 
disjunction. However, the reduction rules they give are not sufficient to guarantee 
that the normal proofs satisfy the subformula property. 

In order to prove that our system is strongly normalizable, we use the method 
that we have introduced in |7]. This yields several auxiliary results that have 
independent interest: 

— We reduce, by finitary means, the strong normalization of classical logic 
to the strong normalization of intuitionistic implicative logic. Consequently, 
when combined with an arithmetizable proof of the strong normalization of 
the simply typed A-calculus, our method yields a completely arithmetizable 
proof of the strong normalization of classical propositional logic. 

— We prove the strong normalization of Parigot’s /t-reduction (together with 
similar reduction relations) on the untyped terms. This result confirms that 
the reduction relations related to the classical absurdity rule are structural 
reductions, akin to permutative conversions, which do not carry any real 
computational content. 

— We provide with a continuation passing style semantics that may 

be used to construct denotational models of classical logic with disjunction 
as a primitive. 

— Our CPS-translation, since it is defined on the untyped A/t-terms, may be 
raised to the second order as in |^ . This yields a new proof of the strong nor- 
malization of Parigot’s original second-order A/t-calculus. In contrast to 1101 
ED, this proof does not require any extension of the reducibility candidate 
method since it consists in reducing the problem to the strong normalization 
of Girard’s system Fim. 

2 Classical Propositional Logic as an Extension of the 
A^i-Calcnlns 

The types of are the formulas of propositional logic built upon a finite 

set of atomic types, using the connectives — >■, V, and A. The set of atomic types 
contains the constant T that stands for absurdity, and negation is defined in the 
usual way: -^a = a — >■ T. 
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The untyped terms of (that we will call A/r-terms, for short) are 

built upon two disjoint alphabets of variables X and A, according to the following 
grammar: 



r ::=x\ XX.r\TT\ { T , r ) \ ttiT | ttsT | 
liT\ L2T\6{r,X.r,X.T) \fiA.T\AT 

The elements of X are called A-variables, and these of A are called ^-variables. 
We let letters from the end of the alphabet {x,y, z) range over X, and letters 
from the beginning of the alphabet (a, b, c) range over A. S and fjL are binding 
operators. Any free occurrence of a; in and any free occurrence of y in O 
is bound in the term 6{M,x. N,y.O). Similarly, any free occurrence of a in 
M is bound in y,a. M. We consider that some implicit convention (e.g., 0 p. 
26]) prevents clashes between free and bound variables. We write without 
subscript, for the relation of a-conversion, and we let M\x\=N] denote the usual 
capture-avoiding substitution. 

We define an antecedent to be a set of declarations of the form x\a where a; is a 
A- variable, a is a type, and where all the declared variables are distinct. Similarly, 
we define a succedent to be a set of declarations of y- variables obeying the same 
constraints. The typing system of is given by means of sequents of the 

form r I- M : a ; A, where F is an antecedent, M is a Ay-term, a is a type, 
and Z\ is a succedent. The typing rules are the following: 

X \ a, r \- x: a; A 



X : a, r I- M : (3; A 



i^-l) 



r I- M : a ^ P ; A F i- N : a; A 



F I- \x.M:a^ P; A Ft-MN:p-,A 

F i- M:a; A F i- N: P; A 

(A-I) 



(^-E) 



F I- {M,N): aA P-, A 



F i- M : a A P; A F \- M\ a A P\ A 

(A-El) (A-E2) 



F \- TTi M ■. a] A 
F I- M:a; A 
F I- Li M : a V P ; A 



(V-Il) 



F I- 7T2 M : /3 ; A 
F I- M: P] A 
F I- i2 M : a\I P ] A 



(V-I2) 



F I- M : a V P; A x : a, F i- N : j ; A y : P, F i- O: j ; A 
F I- S{M,x. N,y.O): A 



(V-E) 



F I- M : X; A, a : a 
F I- /io. M : a; A 



(muabs) 



F i- M : a; A, a a 
F I- aM : X; A, a : a 



(name) 
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The one-step reduction relation of is defined as the union of three 

different one-step reduction relations: the relation of detour-reduction (— 
which corresponds to the usual detour conversions of intuitionistic logic; the 
relation of (5-reduction (—fa), which corresponds to the permutative conversions 
related to the elimination rule of disjunction; the relation of /i-reduction (— 
which corresponds to conversions that are proper to classical logic. Following 
Barendregt |5|, we write “A-x” and »-x” to denote, repectively, the transitive 
closure and the transitive, reflexive closure of a reduction relation fx”- 

Definition 1. (detour-reduction) 

(a) {Xx. M) N M[x:=N] 

(b) 7Ti {M,N) ^dM 

(c) 7 T 2 ( M , N) -^d N 

(d) 6{ii M,x. N,y.O) -^d N[x:=M] 

(e) S{L 2 M,x.N,y.O) 0[y:=M] ■ 

Definition 2. (5 -reduction) 

(a) (5(M, X. N, y. O) P <5(M, x. N P,y.O P) 

(b) 7Ti (5(M, X. N, y. O) -^s S{M, x. tti iV, y. tti O) 

(c) 7T2 S{M, X. N, y. O) -^s S{M, x. tt 2 N, y. 7T2 O) 

(d) 6{S{M, X. N, y. 0),u. P, v. Q) -^s x. 6{N, u. P, v. Q),y. 5{0, u. P, v. Q)) 



In order to define the different basic /r-reduction steps, we must first introduce 
a notion of structural substitution. Let C[] be a context, (i.e., a A/i-term with a 
hole). The structural substitution M[a * := C[*]] is inductively defined as follows: 

X* = X 

(Xx.M)* = \x.{M*) 

\mN)* = M* N* 

\m,N)* = 

{n,M)*=TT, (M*) 

= r, (M*) 

(5(M, x. N, y. 0)* = S{M*,x. N*,y. O*) 

{yb.M)* = yb.{M*) if a ^ b 
\ya. M)* = ya. M 
{bM)* = b{M*) if a^b 
(aM)* = C[M*] 

where M* stands for M[a * := C[*]]. 

Definition 3. (y-reduction) 

(a) {ya. M) N ya. M[a* := a{* N)\ 

(b) 7Ti {ya. M) — ya. M[a * := a (tti *)] 

(c) 7T2 (ya. M) — ya. M[a *:=a {tt 2 *)] 
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(d) (5(/ia. M, X. -/V, y. O) — ya. M[a *:=a 6{*, x. N, y. O)] 

where a G FV(M). ■ 

In the above definition, we stipulate that a must occur free in M. Nevertheless, 
the above reductions also make sense when the ^.-abstraction is vacuous. In this 
case, they correspond to the _L-reductions of intuitionistic logic which are 
also needed for the subformula property. These _L-reductions may therefore be 
seen as particular cases of /r-reductions. However, for technical reasons, we prefer 
to keep them separate. 

Definition 4. (J--reduction) 

(a) (/io. M) N — >-j_ na. M 

(b) 7Ti (/io. M) — >-_L y,a. M 

(c) 7T2 (/io. M) — >-j_ y,a. M 

(d) 5{y,a. M,x. N,y.O) 

where a ^ FV{M) . ■ 

The next proposition ensures that the above relations of reduction, which are 
defined at the untyped level, correspond indeed to proof-theoretic conversions. 

Proposition 1. (Subject reduction) Let M, N, a, F, and A be such that F i- 
M: a; A and M — >■ ds^iX N. Then F i- N : a A. □ 

We end this section by giving a characterization of the normal terms, from 
which we derive the subformula property. Consider the following grammar: 



P ::= XX. P I {P,P) \liP\l 2P\ S{Q,X.P,X.P) \ fiA.P \ Q 
Q ::= X \ QP\ttiQ\tt2Q\AP 

we say that a A/i-term that conforms to P is P-canonical (or simply, canonical) . 
Similarly, a A/i-term that conforms to Q is said to be Q-canonical. 

Lemma 1. Let M , a, F, and A be such that 

F I- M : a; A (*) 

and let H be the derivation of {*). 

(a) Lf Mis Q-canonical then every type occurring in H is either T, or a subfor- 
mula of a type occurring in F or A. 

(b) If M is P-canonical then every type occurring in H is either T, or a subfor- 
mula of a type occurring in F or A, or a subformula of a. □ 



Lemma 2. Let M , a, F, and A be such that F i- M : a; A. If M is DSfiX- 
normal then M is canonical. □ 
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We get the subformula property as a direct consequence of these two lemmas. 

Proposition 2. Let M, a, F, and A be such that 

r I- M : a; A (*) 

If M is DSfiF-normal then every type occurring in the derivation of (*) is either 
_L, or a subformula of a type occurring in F or A, or a subformula of a. □ 



3 Strong Normalisation of the Structural Reductions 

In this section, we prove that the untyped A^-terms are strongly normalizable 
with respect to the reduction relation induced by the structural reduction steps 
(i.e., 6, p,, and _L). To this end, we provide the A/r-terms with a norm that strictly 
decreases under the relation of <5/i_L-reduction. This norm is adapted from the 
norm that we introduced in |7]. Nevertheless it is more involved because we have 
to accommodate the structural substitutions of the /i-reductions. 

Definition 5. The norm \ ■ \ assigned to the Xp-terms is inductively defined as 
follows: 

(a) |a:| = 1; 

(b) |Aa;.M| = \M\ 

(c) \MN\ = \M\+#M X \N\ 

(d) |(M,iV)| = |M| + |iV| 

(e) |7 TiM| = |M|+#M 

(f) |7T2M| = |M| +#M 

(g) |iiM| = |M| 

(h) | 62 M| = |M| 

(i) |5(M,a;.iV,2/.0)| = |M| + #Mx (|iV| + |0|) 

(j) \pa.M\ = \M\ 

(k) \aM\ = \M\ 

where: 

(a) ffx = 1; 

(b) #\x.M = l 

(c) #MN = #M 

(d) #{M,N) = 1 

(e) #7Ti M = #M 

(f) #7T2M = #M 

(g) #riM = l 

(h) # 62 M =1 

(i) #6{M, X. N,y.O) = 2x#Mx (#iV + #0) 

(j) #pa.M= [M\a + 1 

(k) #aM= 1 



and where: 
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(a) [a:Ja = 0; 

(b) [\x.M\a=[M\a 

(c) [MN\a=[M\a + 4Mx LTVja 

(d) [{M,N)\a= [M\a+[N\a 

(e) [tti M\a= [M\a 

(f) [7T2M\,= [M\a 

(g) LgMJ,= [MJ, 

(h) [i2M\a=[M\a 

(i) [S{M, x.N,y. 0)\ „ = [MJ , + #M X ( [N\ „ + [OJ a) 

(j) lyb.M\a=lM\, 

(k) [aM\a=[M\, + #M 

{!) [bM\a=[M\, m 

This norm is strictly positive and compatible with the term formation rules. 
Lemma 3. Let C[] be any context. 

(a) //#M > #7V and \M\ > |7V| then \C[M]\ > |C'[iV]|; 

(b) //#M > #iV and > [N\a then #C[M] > #C[N] and [C[M]\a > 

lC[N]\a. □ 

The next proposition may be easily established by adapting the proof given 
in 0. 

Proposition 3. If S -^s T then l^l > \T\, for any Xy-terms S,T. □ 

We end this section by sketching the proof that the norm of Definition 0 
decreases under the relation of /rT-reduction. 

Lemma 4. Let M, N be XfjL-terms and let M* = M[a *:=a (+ N)] . If a ^ FV (N) 
then: 

(a) [M\a = [M*U; 

(b) X [N\h=[M*\t; 

(c) \M\+[M\aX\N\ = \M*\. □ 

Lemma 5. Let S', T be Xyi-terms. If S — >-^_l T then: 

(a) #S > ffT; 

(b) LTjft- 

Proof. We establish the property as a consequence of Lemma (b), by proving 
Inequations (a) and (b) for each basic reduction step. We give only the first case, 
and leave the other ones to the reader. 

(a) ffS = ff{f,a.M)N 
= ffpLa. M 

= L-^J 0 + 1 

= [M[a *:=a (* iV)]Ja + 1 by Lemma^(a) 

= ffyia. M[a *:=a (* A^)] 

= #T 
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(b) [S\b=[{^ia.M)N\l, 

= M\b + M x [N\b 
= [M\i, + (\_M\a + 1) X [iVjt, 

> [M\b+[M\a X [N\b 
= [M[a*:=a{* N)]\b by Lemma w^) 

= Yyia. M[a*:=a{* N)]\b 
= \T\b 

□ 



Proposition 4. If S — T then [S'! > \T\, for any XyL-term S,T. 

Proof. We establish the property as a eonsequence of Lemma\3 (a) and Lemma 
0 by proving it for each basic reduction step. We give only the first case, and 
leave the other ones to the reader. 

\S\ = \{ya.M)N\ 

= l/ia. M\ + ffy,a. M x |A^| 

= |M| + (LMJ, + 1) X |iV| 

> |M| + [MJ„ X |1V| 

= \M[a*:=a {* N)]\ byLemma\^(c) 

= \fj,a. M[a *:=a (* N)] \ 

= \T\ 

□ 

As a direct consequence of Propositions 0 and 0 we obtain that any A/i-term 
is strongly (5/i_L-normalizable. 



4 Postponement of the _L-Reductions 

All the right-hand sides of the rules of Definition^ are of the same form: fxa. M, 
where a ^ FV(M). One easily checks that there is no critical pair between this 
form and any left-hand side of the rules of Definitions [H El and 0 Consequently, 
the following proposition may be established easily. 

Proposition 5. Let R G {D, S, fi}, and let L, M and N be three XpL-terms. If 
L — M N then there exists a XpL-term O such that L A/j O — »-j_ N . □ 

As a consequence of this proposition together with the strong normalization 
of the _L-reductions, we have that any infinite sequence of D5/r_L-reduction steps 
may be turned into an infinite sequence of Di5/r-reduction steps. 
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5 Negative Translation and CPS-Simulation 

In this section, we adapt to the negative translation and the CPS- 

simulation given in [Z]- 

Definition 6. The negative translation a of any type a is defined as a = 
where = a — >■ o for some distinguished atomic type o (that is not used 
elsewhere) , and where: 

(a) _L° = o 

(b) a° = a 

(c) {a — >■ /3)° = a — >■ /3 

(d) (a A P)° = ~(a — >■ ^/3) 

(e) (a V /3)° = — >■ ■ 

Definition 7. The CPS -translation M of any Xp-term M is inductively defined 
as follows: 

(a) X = Xk. X k 

(b) Xx. M = Xk. k {Xx. M) 

(c) (M N) = Xk. M (Xm. m N k) 

(d) {M,N ) = Xk.kjXp.pMN) 

(e) TTi M = Xk. M {Xp.p{Xi. Xj.ik)) 

(f) tt 2 M = Xk. M (Xp. p (Xi. Xj. j k)) 

(g) IfM = Xk.kjXi.Xj.iM) 

(h) i2M = Xk. k (Xi . Xj. j M) 

(i) <5(M, X. N, y. O) = Xk. M {Xm. m {Xx. N k) {Xy. O k)) 

(j) pa. M = Xa. M {Xk. k) 

(k) aM = Xk. M a 

where k, m, p, i and j are fresh variables. ■ 

The next proposition states that these two translations commute with the 
typing relation. 

Proposition 6. Let M , a, T , and A he such that T \- M ■. a] A Then M 
is a X-term of the simply typed X-calculus, typable with type a under the set of 
declarations r ^ ^ A° . □ 

The translation of Definition |7| does not allow the detour-reduction steps to 
be simulated by /3-reduction. This is due to the so-called administrative redexes 
In order to circumvent this problem, we introduce the following modified 
translation. 

Definition 8. The modified CPS-translation M of any Xp-term M is defined 

as: 

M = Xk. {M : k) 

where k is a fresh variable, and where the infix operator obeys the following 
definition: 
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(a) X : K = X K 

(b) \x.M :K ^ K{Xx.M) _ 

(c) (MTV) : K ^ M : Xm.mW K 

(d) (M,N) : K = K {Xp.pWW) 

(e) TTi M : K = M Xp. p {Xi. Xj. i K) 

(f) it 2 M : K = M : Xp. p {Xi. Xj. j K) 

(g) t-i M : K = K {Xi. Xj. i M) 

(h) L 2 M : K = K {Xi. Xj. j H) 

(i) S{M, X. N,y.O) : K = M : Xm. m (Ax. {N : K)) {Xy. {O : K)) 

(j) pa. M : K = {M : Xk. k) [a:=K] if a G FV (M) 

(k) pa. M : K = {Xa. {M : Xk. k)) K if a ^ FV (M) 

(l) aM ■. K = M :a 

where m, p, i and j are fresh variables. ■ 

This modified CPS-translation is consistent with the translation of Defini- 
tion 0 in the sense of the following lemma. 

Lemma 6. Let M be a Xp-term. Then: 

(a) M — XL , 

(b) M K — M : K, for any X-term K. □ 

As a consequence of this lemma, we obtain the following proposition. 

Proposition 7. Let M, a, T, and A be such that T 1 - M : a; A. Then M 
is a X-term of the simply typed X-calculus, typable with type a under the set of 
declarations r , A° . □ 

We now prove that the modified CPS-translation of Definiton simulates 
the relation of detour-reduction by strict /3-reduction, and the relations of S- 
and /r-reduction by equality. We first state a few technical lemmas. 

Lemma 7. Let M and N be Xp-terms and K be a simple X-term such that 
X FV(AT). Then {M : K)[x:=N] {M[x:=N]) : K. □ 



Lemma 8. Let M , N , and O be Xp-terms, and K be a simple X-term such that 
a^FV(AT). Then: 

(a) (M : K)[a\=Xm.mN a] — (M[o * := a (* A')]) : K, 

(b) (M : K)[a:=Xp.p{Xi. Xj. i a)] {M[a * :=a (tti *)]) : K, 

(c) (M : K)\a:=Xp. p {Xi. Xj.j a)l — »/3 {M\a *:=a {tt 2 *)1) : K, 

(d) (M : K)[a:=Xm. m (Ax. {N : a)) {Xy. {O : a))] 

{M[a*'.= a6{*,x.N,y.O)]) : K. □ 



Lemma 9. Let M and N be two Xp-terms and let C[] be any context. Then, 
for any simple X-term K: 
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(a) if M : K ^0 N : K then C[M] : K 4^ C[N] : K, 

(b) if M : K = N : K then C[M] : K = C[N] : K. □ 

The next two lemmas concern the simulation of the relations of detour- and 
5-reduction. Their proofs may be found in | 7 ] 

Lemma 10. Let S and T be two \ii-terms. If S T then S 4^ T. □ 

Lemma 11. Let S and T be two Xpi-terms. If S -^s T then S = T. □ 

It remains to prove that the ^-reductions are interpreted as equality. 

Lemma 12. Let S and T be two Xfi-terms such that S — T. Then S = T. 
Proof. We prove that, for any simple X-term K, 

S :K = T:K (*) 

from which the property follows. 

Equation (*) may be established as a consequence of Lemma\^ (b) by proving 
that it holds for each basic reduction step. We give only the first case, and leave 
the other ones to the reader. 

S :K = {fia. M)N : K 

= fj,a. M : Am. m N K 

= {M : Xk. k) [a:=Am. mN K\ 

= {M : Xk. k) [a:=Am. mN a] [a\=K] 

= {M[a *:=a{* A^)] : Xk. k) [a\=K] by Lemma ^(a) 

= fj.a. M[a * :=a{* TV)] : K 
= T 

□ 



6 Strong Normalization 

We are now in a position of proving the main proposition of this paper. 

Proposition 8. (Strong Normalization) Any well-typed Xp-term of 
is strongly normalizable with respect to the relation of DSpE-reduction. 

Proof. Suppose it is not the case. Then, by Proposition^ and\^ there would 
exist an infinite sequence of D- and 5 p-reduction steps starting from a typable 
term (say, M) of . If this infinite sequence contains infinitely many D- 

reduction steps, there must exist, by Lemmas \Uh I / ?l and an infinite sequence 
of [3 -reduction steps starting from M. But this, by Proposition^ would contra- 
dict the strong normalization of the simply typed X-calculus. Hence the infinite 
sequence may contain only a finite number of D-reduction steps. But then, it 
would contain an infinite sequence of consecutive 5 p-reduction steps, which is 
impossible by Propositions\^ and^ □ 
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7 Confluence of the Reductions 

We prove the Church-Rosser property by establishing the local confluence of the 
reductions. 

Lemma 13. Let M, N, O he Xfi-terms such that M -^ds^ N and M -^dS/i O 
then there exists a Xfi-term P such that N -^dSij. P and M P- □ 



Proposition 9. (Church-Rosser Property) Let M, N, O be typahle Xfj,-terms 
such that M N and M -^DSfj, O then there exists a XpL-term P such that 

N —»DSfi P and M P- 

Proof. A consequence of Proposition]^ Lemma El and Newman lemma. □ 
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Abstract. We construct a new class of models for linear logic. These 
models are constructed on partially additive categories using the Int 
construction of Joyal, Street and Verity and double glueing construction 
of Hyland and Tan. We prove full completeness for MLL+MIX in these 
models. 



1 Introduction 

Partially Additive Categories (PACs) were introduced by Manes and Arbib [27] 
to provide an algebraic semantics for programming languages. They have also 
been used to provide a categorical model for the Geometry of Interaction (Gol) 
interpretation [15, 16]. PACs are also closely related to iteration theories and cat- 
egories with fixed-point operations [15]. Mascari and Pedicini have used partially 
additive categories to provide a structured dynamics for algorithm executions in- 
spired by Gol [10,28]. Their approach is completely different from what we will 
discuss in this paper. In this paper, we construct a new class of models for the 
multiplicative fragment of linear logic. These models are constructed on partially 
additive categories using the Int construction of Joyal, Street and Verity and the 
double glueing construction of Hyland and Tan. We prove full completeness for 
these models. 

The contributions of this work are: (1) Using PACs to construct models of 
multiplicative linear logic and thus opening new directions relating Gol type 
semantics to denotational semantics and iteration and fixed-point theories to 
linear logic models, (2) Introducing new examples of traced symmetric monoidal, 
compact closed and eventually *-autonomous categories via the compact closure 
and glueing constructions, (3) Providing a new class of fully complete models 
for MLL + MIX in a fashion that is in the spirit of a unified approach to full 
completeness problem. 

The paper is organized as follows: Section 2 contains a brief introduction 
to traced symmetric monoidal categories and the Int construction. In section 
3 we briefly discuss PAGs and give some examples. A short introduction to 
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full completeness and a brief discussion of functorial polymorphism and free 
monoidal categories form the bulk of Section 4. We recall the double glueing 
construction in Section 5 and present the main theorems of the paper in Section 
6. Section 7 contains some concluding remarks and thoughts on future research 
directions. 

We have omitted many proofs due to lack of space. We have been cautious 
to do this in such a way that the coherence and consistency of the text is not 
jeopardized. The reader is referred to author’s PhD thesis [15] for all the proofs 
that are not included in this paper. 



2 Traced Monoidal Categories 

Definition 2.1. A traced symmetric monoidal category is a symmetric monoidal 
category with a family of functions Tr^y ■ C(X ® U,Y ® U) — > 

C{X,Y), called a trace, subject to the following axioms: 

- Natural in X, Tr^ y{f)g = Tr^, y{f{g 0 Ic/)) where f -.X®U ^Y®U, 
g-.X'^X, 

— Natural in Y , gTr^ y{f) = Tr^ y,{{g 0 Ic)/) where f : X®U ^Y ®U , 
g-.Y^Y', 

— Dinatural in U, Tryy{{ly^g)f) = Tryy{f{lx^g)) where f : X ^ 
Y 0U', g :U' ^U, ’ 

- Vanishing (I,H), Tr^x.rif) = f ^nd Tr’^%^ (g) = Tr^xATrlm,Ym^9)) 
for f -.X^I^Y®! andg-.X®U®V ~^Y®U®V, 

— Superposing, g ®Tr^y{f) — Tr^^y 

,Z®Y {g®f),forf:X®U^Y®U 

and g : W ^ Z, 

- Yanking, Tr^,j{au,u) = ^u- 

2.1 Int Construction 

The Int construction was introduced by Joyal, Street and Verity in [21]. It is 
used to construct a free tortile monoidal category from a given traced balanced 
monoidal category. In this paper we will work with traced symmetric monoidal 
categories and hence in this case the main result of [21] reads as follows. 

Theorem 2.2 (Joyal, Street Verity). ^ Suppose C is a traced symmetric 
monoidal category and D is a compact closed category. Then there exists a com- 
pact closed category Int C such that for all traced monoidal functors F : C ^ ID), 
there exists a symmetric monoidal functor K : Int C — > ID which is unique up to 
monoidal natural isomorphism with the property KN = F , where V : C — > Int C 
is the full faithful inclusion functor. 

Let C be a traced symmetric monoidal category. The category Int C is defined 
as follows: 

^ Note that this is the version of the original theorem for the case of symmetric 
monoidal categories. 
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— Objects: Pairs of objects from C, e.g. (A+, A ) where A~^ and A are objects 
of C. 

— Arrows: An arrow / : (A^,A~) in Int<C is / : A+ 0 B~ — > 

0 A~ in C. 

— Identity: 1 ( a +, a ~) = 1^+®^-- 

— Composition: Given / : (A+, A~ ) {B^ , B^) and g : {B'^ , B~) — > (C+, C~), 

gf :(A+,A-)^ (C+, C~) is given by: 

gf = T'»'I+®c-,c+®^-((lc+ o ctb- 0-)(5O l^-)(ls+ OcrA-,c-)(/0 Ic-) 
(1^+ 0 (7c-,B~)) 

— Tensor: (A+, A“)0(i3+, B~) = (A+0_B+, B~ ®A~) and for / : (A+, A~) 

(i?+, B~) and g : (C+, C~) {D'^ ,D~), f®g is defined to be the following 

composite: A+ 0 C+ 0 0 B~ ^ C+ 0 A+ 0 0 D~ ^ C+ 0 S+ 0 

A- 0D~ ^ B+ 0C+ 0D~ 0 A- B+ 0 D+ 0 C~ 0 A~ 

— Unit: (1,1). 

Proposition 2.3. Let C be a traced symmetric monoidal category , IntC is a 
compact closed category. Moreover, N : C ^ Int C with N(A) = (A, I) and 
^(f) = f is a full and faithful embedding. 

Proof. (Sketch) This is just a specialisation of the proof that appears in [21] and 
we will not repeat it here. However we give the main morphisms of the closed 
structure. For any two objects (A+, A“) and (H+, B~) in IntC, <J{a+,a-),(b+,b-) 
=def VFA+.B+ cta-.b- ■ The left dual of (A+, A“), (A+, A“)* = (A“, A+). The 
unit is given by g(A+,A~) ■ (1,1) 0 (A+, A")* =def 1 . 4 + 0 . 4 - and 

counit is e{A+,A^) ■ (A+,A“)* 0 (A+,A“) ^ (7,7) =def 1.4-0.4+- The in- 
ternal horns are given by (A+,A“) — o (B'^,B~) = (73+,7?“) 0 (A+,A“)* = 
(73+ 0 A“, A+ 0 73"). □ 

3 Partially Additive Categories 

In this section we recall the definitions of partially additive monoids and cate- 
gories enriched over such monoids, partially additive categories. Partially addi- 
tive categories were defined and used by Manes and Arbib to provide an algebraic 
semantics for programming languages [27]. Our interest in partially additive cat- 
egories is primarily due to the fact that they provide a canonical construction 
for trace and composition in geometry of interaction categories, together with 
unique decomposition property of morphisms (see Proposition 3.6 and the fol- 
lowing discussion) . 

Definition 3.1. A partially additive monoid is a pair (M,E), where M is a 
nonempty set and E is a partial function which maps countable families in M to 
elements of M (we say that {xi}i^i is summable ifYhi^i^i defined)^ subject 
to the following axioms: 

^ Throughout, “countable” means finite or denumerable. All index sets are countable. 
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1. Partition- Associativity Axiom. If {xi}i^i is a countable family and if{Ij}j^j 

is a (countable) partition of I , then {xiji^i is summable if and only if 
{xi}i^ij is summable for every j G J and summable for j € J. 

In that case, 

2. Unary Sum Axiom. Any family {xi]i^i in which I is a singleton is summable 
and J2i^iXi = Xj ifl={j}. 

3. Limit Axiom. If {xi}i^i is a countable family and if {xi}i^p is summable 
for every finite subset F of I then {xi}i^i is summable. 

We observe the following facts about partially additive monoids: 

(i) Axiom 1 implies that every subfamily of a summable family is summable. 

(ii) Axioms 1 and 2 imply that the empty family is summable. We denote Xi 
by 0, which is an additive identity for summation. In fact, 0 is a countable 
additive identity. 

(iii) Axiom 1 implies the obvious equations of commutativity and associativity 

for the sum (when defined). More generally, x,p(^i) is defined for any per- 
mutation if of I whenever Xi exists and xp, just consider 

the partition {(p{j)}j^i. 

(v) There are no additive inverses. Indeed, let {xi}i^i be a summable family 
with X^jgj a;* = 0 and set y = Xljg 7 -{i} for some i G I. Then, y + Xi = 0 

and Xi = Xi + {y + Xi) + {y + Xi)-\ = {xi + y) + {xi + y) = 0. Thus, 

Xi = 0 for all i G I. 

A doubly indexed family / in a partially additive monoid M, f : I x J ^ M, 
is denoted as {fij}i^jj^j or simply {fij} if the index sets are clear from the 
context. Such a family is summable iff fij) exists and in that case 

j fij — ^ieii^jej fij)- ff follows, using Axiom 1, that for a summable 
family {f^j}, h) = j(X]*e/ /b)- Here are some examples of 

partially additive monoids. 

Example 3.2. 1. M = PInj(A, Y), the set of partial injective functions from X 

to Y. A family {/i}ig/ € PInj(A, Y) is said to be summable iff Dom{fi) n 
Dom{fj) = 0 and Codom(fi) n Codom(fj) = 0 for all i ^ j. In that case, 
(Ei fi){^) = fj{^) ii X £ Dom{fj) for some j £ I and undefined, otherwise. 

2. M = Pfn(A, Y), the set of partial functions from A to T. A family {/i}ig/ € 
M is summable iff Dom{fi) n Dom{fj) = 0 for all i ^ j. In that case, 
(Ei fi){ai) = fj{x) if a; G Dom{fj) for some j € I and undefined, otherwise. 
We denote this partially additive monoid by (Pfn(A, Y), 

3. M =Rel+(A, y), the set of relations from a set A to a set Y . Any family 

eRel+(A, Y) is summable with Ri = (Jig/ Ri- 

Definition 3.3. The category of partially additive monoids, PAMon, has as 

j 

objects partially additive monoids (M,S). Its arrows (M,S) — > {M' , S') are 
maps from M to M' which preserve the sum. Composition and identities are 
inherited from Set . 
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Observe that PAMon has finite products: given (Mi, Ei) and (M 2 , E 2 ), their 
product is (Mi x M 2 , S) where yi) = (Xli Xi, ^2 Vi) for all summable 

families {{xi, yi)}ig/ in Mi x M 2 . The zero object 0 is ({0}, in which all fam- 
ilies are summable, with sum equal to 0. In particular, PAMon is a symmetric 
monoidal category with product as the tensor. 

A PAMon-category C is a category enriched in PAMon; that is, the homsets 
are enriched with an additive structure such that composition distributes over 
addition from left and right. More specifically, for dX\ f ■. W ^ X,h \ Y Z 
and for all summable families {(/ijie/ in C{X, Y), {gif}i^i and {hgi}i^i are also 
summable and S'*)/ = ^2^eI 9tf and /i(E*e/ 9t) = %• 

Note that such categories have non-empty homsets and automatically have 
zero morphisms, namely Oxy ■ X ^ Y = fi /* ^ C(A, Y). 

Notation: We will use + for the addition operation on the homsets. We use 0 
for coproduct. 

Definition 3.4. Let C be a PAlsAon-category with countable coproducts 
We define quasi projections pj : ©jg/ Xi — > Xj for all j G I as follows: 
Pjiuk = Ixj if k = j and OxkXj otherwise. Note that pj exists for all j G I 
since C has zero morphisms. 

Definition 3.5. A partially additive category C is a PANLon- category with 
countable coproducts which satisfies the following axioms: 

1. Compatible Sum Axiom.- If {fi}i G C(A, Y) is a countable family and there 
exists f : X ^ I.Y such that pif = fi for all i G I, (we say the ft are 
compatible^, then^^^j fi exists. 

2. Untying Axiom.- If f + g : X ^ Y exists then so does in\f + iu 2 g : X 
Y®Y. 

The dual of a partially additive category is a PAMon-category with count- 
able products which satisfies the dual of the above axioms. 

PACs enjoy the following properties: (i) the unique decomposition property, 
(ii) the existence of the iteration (dagger) operation, and (iii) the uniqueness of 
the additive structure. We will be more explicit regarding the first two properties. 

Proposition 3.6 (Manes and Arbib[27]). Given f : X ^ in a 

partially additive category. There exists a unique family fi : X ^ Yi with f = 
namely, fi = pif. 

Corollary 3.7. Given f : Yi in a partially additive category, 

there exists a unique family {/iyjig/jgj : Xj Yi with f = Y.i(^i,j(^j'^wfijPj, 
namely, fij = pifiuj. 

Proof. In any PAG, Y.i^ii'<^iPi exists and Y.ieP'^Wi = 1 : ®iei^i ^ ®iei^i- 
To see this, note that by the theorem above l 0 ^Xi can be uniquely written as 

1 = iTT-iPil — '^i^j iniPi. 

Now let / = l 0 ^ x./l 0 _, Xj = (E* iwPt)fiJ2j injPj) = (E* in,pJ)(J2^ iUjPj) 
'n,ij ixLiPifinjPj = 'Thij ixLi fijPj. For uniqueness, suppose there is another family 
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{5'fc;}fce/,ieJ such that / = Y,u i^kgupi - Then fij = pifiuj = Y,u PiinkgkiPiinj = 
gij for alH, j. □ 

Based on this proposition, every morphism / : Yi can be repre- 

sented by its components. When I and J are finite, we will use the corresponding 
matrices to represent morphisms, for example / above with \I\ = m and | J| = n 
is represented by an m x n matrix (fij). It also follows that the composition 
of morphisms in a PAC with finite coproducts in their domain and codomain 
corresponds to matrix multiplication of their matricial representations. 

Remark 3.8. Note that although any morphism / : 0^ Yi can be 

represented by the unique family {/ij jig/jgj of its components, the converse 
is not necessarily true, that is to say given a family {fij} there may not be a 
morphism / : 0 jA^ ^ ©/ satisfying / = ^ijinifijPj. However, in case 
such an / exists it will be unique. 

Theorem 3.9 (Manes and Arbib[27]). Given a map f : X ^ Y (B X in a 

partially additive category. The sum p = : X ^ Y exists, where 

fi'.X^Y and f 2 '.X^X are the components of f. 

P is called the iterate (or dagger) of /. We define a family of operations 
}x,Y ■ C(X,Y © A) ^ C{X,Y) which to each / associates its iterate p. This 
operation induces a trace operator on C as follows: 

Proposition 3.10 ([15]). Every partially additive category is a traced symmet- 
ric monoidal category, where given f\ X®U^Y®U, 

TrPr = hi + E„6./i2/22/21 

and fij are the components of f. 

There are many interesting connections between trace operation and the 
iteration and fixed-point operators. However, we will refrain from discussing 
these for lack of space, for more details see [15,18]. We give a few illustrative 
examples, for more examples see [15]. 



3.1 Examples 

1. Consider the category Pfn of sets and partial functions. Recall that a par- 
tial function from A to T is a function from Dom{f) C A to A. Given / : 
X ^ Y and g : Y ^ Z, gf : X ^ Z is defined by Dom{gf) = {x & X\x G 
Dom{f), f{x) G Dom{g)} and (gf){x) = g{f{x)) for x G Dom(gf). The addi- 
tive structure was given in Example 3.2, the zero morphism Oxy : A — > A is the 
everywhere undefined partial function. Pfn has countable coproducts given by 
disjoint union. 

2. Consider the category Rel+ of sets and binary relations. Given morphisms 
R : X ^ Y and S : Y ^ Z the composition SR : X ^ Z is given by the 
usual relational product and identity morphisms are identity relations. We have 
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already defined the additive structure for the homsets in Example 3.2. Hence, 
for any X and Y, Rel+(2f, F) is a partially additive monoid with all families 
summable and the zero morphism is the empty relation Q X y. Y) . Note that 
Rel+ has countable coproducts given by the disjoint union. 

3. Consider the category SRel of stochastic relations with measurable spaces 
{X,Tx) as objects and stochastic kernels as arrows. An arrow / : {X,Tx) — > 
(Y,J^y) is a map f : X x Ty [0,1] such that f(-,B) : X — > [0,1] is a 
bounded measurable function for fixed B e Ty and f{x,-) : Ty — > [0,1] is a 
subprobability measure (i.e., a-additive, set function, /(x, 0) = 0 and f{x, Y) < 
1). The identity morphism lx : {X, Tx) {X, Tx) is lx : A” x Tx [0, 1] and 
is defined by lx(a;. A) = 5{x, A) = l\i x & A and 0, if a: ^ A. 

For A fixed, S(x, A) is the characteristic function of A and for x fixed, 5{x, A) 
is the Dirac distribution. Finally, composition is defined as follows: given / : 
{X,Tx) ^ {Y,By) and g : (Y,Ty) ^ {Z,Tz), gf : (X,Bx) ^ (Z,Bz) is given 
by gf{x, C) = Jy g{y, C) f(x, dy). 

SRel was proven to be a PAC jointly by Panangaden [29] and the author. It 
was shown to be a traced symmetric monoidal category directly (without using 
partially additive structure) in [1]. 

4 Full Completeness: A Brief Introduction 

Traditional completeness theorems are with respect to provability, whereas full 
completeness is with respect to proofs. This can be best explained in a categorical 
model [24] . Let M be a categorical model of the formulas and proofs of a logic 
C. This means that M is a category with an appropriate structure such that 
formulas of C are interpreted as objects in M and proofs iT in £ of entailments 
A\- B are interpreted by morphisms |[il]| : [A] ^ [RI. Finally convertibility 
of proofs in C with respect to cut-elimination is soundly modeled by the equations 
between morphisms holding in M. Traditional completeness theorems assert that 
M(|[A], |[R]|) ^ 0 implies A \- B is provable in the logic C {= truth implies 
provability.) 

We say that M is fully complete for £ if for all formulas A, B of £, every 
morphism / in M(|[A], |[R]|) is the denotation of some proof 77 of A h R in 
£: / = [TJ]]. This amounts to asking that the unique free functor (with respect 
to any interpretation of the generators) |[ — ]| : F ^ M be full. Here F is the 
free category generated by the logic £. Thus, full completeness establishes a 
tight connection between syntax and semantics compared to completeness. This 
connection can be made even stronger by requiring that the functor [ — ]| be 
faithful too. In other word, a full faithful completeness theorem asserts that 
every morphism in M(|[A], [R]) is the denotation of a unique proof of A h R. 

The term “full completeness” was coined by Abramsky and Jagadeesan in [2] 
where they also proved full completeness for a game semantics of Multiplicative 
Linear Logic with the MIX rule (MLL + MIX). This was followed by a series 
of papers which established full completeness results for a variety of models 
with respect to various versions of MLL [20,8,7,25,26]. Recently Abramsky 
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and Mellies [3] introduced a new concurrent form of game semantics for linear 
logic and proved a full completeness theorem for Multiplicative- Additive Linear 
Logic for this semantics. In this paper we will be mainly concerned with MLL 
and hence we will not further discuss this latter work. 

The idea that dinatural transformations could provide a semantics for proofs 
of a logical system was first introduced in [4] in the programme called “functorial 
polymorphism” (see below). In this setting a formula is interpreted by a mul- 
tivariant functor and a dinatural transformation between multivariant functors 
provides the interpretation for proofs. The problem with dinatural transforma- 
tions is that they do not compose in general to give a dinatural transformation. 
Girard, Scedrov and P. Scott [14] showed that a dinatural interpretation in the 
framework of cartesian closed categories is sound with respect to intuitionistic 
logic without the cut rule. Based on these ideas and results R. Blute and P. 
Scott [8] proved a full completeness theorem for MLL -f MIX in the category 
of reflexive topological vector spaces and a full completeness theorem for the 
multiplicative fragment of Yetter’s cyclic linear logic (CyLL) with the MIX rule 
[7]. See also [17]. 

There has also been a considerable body of work on full completeness theo- 
rems for MLL in *-autonomous categories constructed from compact closed or 
symmetric monoidal closed categories. Devarajan, Hughes, Plotkin and Pratt [12] 
prove a full completeness theorem for MLL without MIX interpreted over binary 
logical transformations of Chu spaces over a two-letter alphabet Chu(Set, 2). 

Another important approach to full completeness theorems was introduced 
in Tan’s PhD thesis [31]. Hyland and Tan introduced the double glueing con- 
struction which given a compact closed category C constructs a *-autonomous 
category GC. The setting is the proofs as dinatural transformations paradigm. 
This work is especially important as it has initiated a systematic approach to the 
full completeness theorems for such categorical models. Explicitly, Tan defines a 
compact closed full completeness and reduces the full completeness problem for 
GC to compact closed full completeness for C. The lifting of compact closed full 
completeness to GC establishes the desired full completeness result. Tan studies 
several examples: ReR, FDVec, a category of Conway games and topological 
vector spaces. She proves full completeness for MLL -|- MIX in these categories 
(with the exception of ReR where she has the result for MLL without MIX). 
However, the passage from compact closed full completeness to full complete- 
ness of GC is not completely algorithmic, that is each case requires a different 
treatment. 

In section 6, we will construct categorical models for MLL-I-MIX based on 
partially additive categories and prove full completeness theorems for such mod- 
els. The semantic setting we will be using is the functorial polymorphism of [4]. 
More explicitly, we start with a partially additive category D and use the Int 
construction of Joyal, Street and Verity (equivalently the Geometry of Inter- 
action construction Q of Abramsky [1,15]), to get a compact closed category 
IntJ}. We next prove compact closed full completeness for this category. Fi- 
nally, applying the double glueing construction of Hyland and Tan, we construct 
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a *-autonomous category G(/ntD), which is a model of MLL + MIX. Finally, 
we prove full completeness for MLL + MIX in G(/ntID)) by lifting compact 
closed full completeness in ItifD. This approach works for all partially additive 
categories in a uniform way. In this paper we will only be concerned with full 
completeness for unit- free formulas. 



4.1 EMnctorial Polymorphism 

Functorial polymorphism will be the semantic setting we use in our categorical 
models. Functorial polymorphism introduced in [4], provides a general categori- 
cal framework for parametric polymorphic lambda calculus. In this setting, types 
are represented by multivariant functors and terms by certain multivariant, i.e. 
dinatural transformations. Applications of this framework for proving full com- 
pleteness theorems for fragments of linear logic can be found in [8,7, 17,31, 12, 
3,15]. 

Dinatural Interpretation for MLL. 

Definition 4.1. Let C be a category and F, G : C" x (C°^)" ^ C be multi- 
variant functors. We write A for the list Ai, A 2 , • • • , A„. A dinatural trans- 
formation p : F — ^ G is a family of C-morphisms p = {px_ : FjX. A) ^ 
G(A, A)|A a list of objects in C} satisfying (for all fi'.Xi^ Yi): 



G{f_, l^pxA(lx, /) = G{1y, f)PYF{f_, Iv). 

It is well known that, a model of MLL consists of a *-autonomous category C 
[30]. Following the methods of functorial polymorphism, we interpret formulas 
of MLL as multivariant functors over such a category C, using the operations 
(F0 G)(A,S) = F{A,B) 0 G{A,B) and F^{A,B) = (F{B,A))^ on n-ary 
multivariant functors F, G : C" x (C°^)" ^ C. Here A and H are lists of objects 
in C that occur co- and contravariantly respectively. 

Let <p{ai, • • • , an) be an MLL formula built from the literals a\, • ■ ■ , ccn and 
af, • • • , an - To each such formula we associate its interpretation |<p(ai, • • • , a„) | : 
C” X (C°P)” ^ C as follows: 

1. If p>{ai, • • • , an) = C(i, then the covariant projection functor 

onto the ith component of A. We denote this functor by 77^. 

2. If ip(ai, - ■ ■ ,ctn) = C((^, then = B(~, the linear negation of the 

contravariant projection onto the ith component of H, denoted Il(- . 

3. liip=ipi® ip 2 , then |[(/9]| = [y’l]] <8> |[ 7 ’ 2 ]| 

4. liif= iff;, then |[(/3]| = 

The connective ^ is defined by De Morgan duality. 

We say that a functor is definable if it is the interpretation of a formula in the 
logic or equivalently it is an interpretation of an object in the free category rep- 
resenting the logic. A proof 77 of F T is interpreted as a dinatural transformation 
from the constant 1 functor, /Ci, to the multivariant functor Irl 
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Remark 4-2. A formula (p{ai, ■ ■ ■ , o:„) in MLL is an object A(A) = F{Xi, ■ ■ ■ , A„) 
in the free *-autonomous category F*{{Xi,- ■ ■ ,Xn}) generated on n objects. 
F(A) is built from Ai, • • • , A„ and X^ , • • • , X:^ using tensor and par products.^ 
A proof If of h ^{cxi, ■ ■ ■ , cxn) in MLL is a morphism from the unit of tensor, 1, 
to the object A(A) in T*{{Xi, • • • , A„}). 



4.2 Coherence and Free Monoidal Categories 

The logical approach to coherence initiated by Lambek in [23] via the equivalence 
between the deductions in a deductive system and morphisms in a free category, 
can be used to describe morphisms in a free category. For example, a morphism in 
the free *-autonomous category (without units), can be interpreted as a proof-net 
[5] . As proof nets are graphs satisfying a correctness criterion, they may be used 
to determine the existence of morphisms in various free monoidal categories [6] . 
We assume familiarity with the free compact closed and *-autonomous categories 
generated on a set of objects. The reader can find a lucid presentation of these 
constructions in [31]. See also [15]. 

Definition 4.3. For any object A in a traced symmetric monoidal category C 
we define the dimension of A to be the endomorphism dim{A) = Tr^j(l/0l^) : 
I ^ L 

For a compact closed category we have: dim{A) : I 21X A® A* A* 0 A 

/. 

In Relx, dim{lh) = 0/, the empty relation, and dim{A) = 1/ for all A 0. In 
FDVec, dim{V) is the dimension of the vector space V . In a partially additive 
category, dim{A) = 1/ = 0/ for all A, since I is the zero object. An object A 
with dim{A) = 1/ is said to have trivial dimension. So in a PAC all objects 
have trivial dimensions. The Kelly-Mac Lane graph [22] of dim{A), for A in a 
compact closed category is a “loop” passing through A and A*. 

We now describe the morphisms in the free compact closed category F{A). 
For this purpose let F\ (A) be the free compact closed category generated on a set 
of objects A = {Ai, • • • , A„} with trivial dimension. Now suppose F(Ai, • • • , A„) 
and G(Ai, • • • , A„) are objects in F\{A) built from Ai, • • • A„, A];, • • • , A* , called 
literals using 0. 

A morphism in F\{A) from F(Ai, • • • , A„) to G(Ai, • • • , A„) is described by 
pairing the occurrences of literals in the objects (formulas) F and G as follows: 

(i) Each literal occurrence is paired with precisely one other literal occurrence, 

(ii) An occurrence of Ai (in F, say) may be paired with either an occurrence 
of A* in the same formula (F), or with another occurrence of Ai in the other 
formula (G), (iii) An occurrence of A* may be paired with either an occurrence 
of Ai in the same formula, or with another occurrence of A* in the other formula. 

Now a morphism F(Ai, • • • , A„) ^ G(Ai, • • • , A„) in F{A) is a morphism in 
F\{A) tensored with finitely many maps of the form dim{Ai) : I ^ L 

® We sometimes use F{X_,X) to denote F{X), in particular when we want to empha- 
size the functoriality of F. 
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Let F{]Q = F{Xi, • • • , Xn) be a unit-free object built from Xi, - ■ ■ , Xn and 
X^, • • • , X:^ by tensor and par connectives. F{2Q corresponds to a formula in 
MLL and a proof h F(X) in MLL has a categorical interpretation in F* (X) 
as a morphism 1 ^ F{2Q and conversely a morphism 1 ^ F{JQ in F*{JQ is 
the categorical representation of a proof of h F{20 in MLL. Therefore, MLL 
proof nets can be regarded as a graphical description of morphisms in the free 
*-autonomous category [5]. Finally, note that the free *-autonomous category 
supporting the MIX rule merely requires the addition of the unary MIX mor- 
phism m :T— !■ 1 and the necessary coherence equations. 

5 A Double Glueing Construction 

The double glueing construction we recall here is due to Tan and Hyland. Given 
a compact closed category, this construction produces a *-autonomous category 
which makes distinction between tensor and par products. The motivation for 
this construction lies in the work of Loader [25] on Linear Logical Predicates 
(LLP). See also Hasegawa [19] for a more abstract treatment and generalisations 
of glueing construction. The presentation here follows [31]. 

Let C = (C, ®, I, (— )*) be a compact closed category. Let FI denote the 
covariant horn functor C(/, — ) : C ^ Set and K denote the contravariant 
functor C(— ,/) = C(/, (— )*) : C°^ — > Set. Define a new category, GC the 
glueing category of C, whose objects are triples A= (|M|,Ms,Mt) where 

— |M| is an object of C 

— As Q H{\A\) = C(7, A), is a set of points of A, 

— C iL(|M|) = C{A, I) = C(I, A*) is a set of copoints of A. 

A morphism f : A ^ B in GC is a morphism f : \A\ ^ \B\ in C such that 
Hf : As ^ Bs and Kf : Bt ^ At- Given f : A B nnd g : B C in GC, 
the composite gf : A ^ C is induced by the morphism gf in C. The identity 
morphism on A is given by the identity morphism on |M| in C. 

We will denote the underlying object of A by A, etc. Given objects A and B 
we define the tensor product as follows: 

- \AC>B\=Ai^B 

- (A 0 B)s = {(T 0 r I CT G As, T £ Bs}, 

- {A®B)t = GC{A,B^). 

where given A, A^ = {A* , At, As)- We define A -o B = (M 0 B^)-^ and 
H = (M-L 0H-L)-l. 

Proposition 5.1 (Tan). For any compact closed category C, GC is a *-autonomous 
category with tensor 0 as above and unit 1 = (7, {idj}, C(7, 1)). 

Remark 5.2. Note that GC is a nontrivial categorical model of MLL. That is, 
the tensor and par products are always distinct. For example, (7, 0, 0)0(7, 0, 0) = 

(7, 0, C(7, 7)) while (7, 0, 0) ^ (7, 0, 0) = (7, C(7, 7), 0). 
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Proposition 5.3 (Tan). GC supports the MIX rule = {!/}• 

In a logical setting one can think of an object A, as an object A in C together 
with a collection of proofs of A (the collection .4g) and a collection of disproofs 
or refutations of A (the collection At-) 

Proposition 5.4 (Tan). The forgetful functor U : GC — > C preserves the *- 
autonomous structure of GC. Furthermore, it has a right adjoint R : <C ^ GC, 
specified by RA = {A,C{I, A),i!l) and a left adjoint L : C ^ GC, specified by 
LA = {A, A*)). 

5.1 Approaching Pull Completeness 

The full completeness problem for MLL in our setting amounts to the following: 
Given a *-autonomous category C and a dinatural transformation p : /Ci ^ M 
where 1 is the unit of tensor and iFj is a definable multivariant functor, we 
would like to prove that p is induced by (is a denotation of) a morphism 1 ^ 
F{X_,Xj) in the free *-autonomous category on n objects {Xi, ■ ■ ■ , A„}. We will 
be working with unit-free formulas and thus such a morphism is described by 
the proof net of the formula F. 

The novelty in Loader and Tan’s work included the approach to this problem 
using *-autonomous categories which are the glueing of compact closed cate- 
gories. That is, GC with C a compact closed category. Now, there is a forgetful 
functor [/ : GC ^ C as we saw in the previous section. The idea is that a 
dinatural transformation p:/Ci— >PinGC induces a dinatural transformation 
Up : Xi ^ UF in the underlying compact closed category C and is completely 
determined by it. Note that UF simply consists of tensor products. Full com- 
pleteness for a compact closed category, is defined in the same way, that is a 
dinatural Xj F must be the denotation of a morphism I FjX, A) in 
the free compact closed category on n objects. Therefore, the full completeness 
problem for a certain class of *-autonomous categories (those that are glueings 
of compact closed categories) is reduced to: (1) Proving full completeness for the 
underlying compact closed category, (2) Lifting the result to the *-autonomous 
category. We proceed by recalling the necessary formal definitions and theorems 
from [31]. 

Definition 5.5. Let C be a compact closed category. Then C satisfies compact 
closed full completeness if every dinatural transformation p : Xj ^ (with 
[f] : C" X (C°^’)" — > C^, is induced by a morphism I F{X_,]Q in the free 
compact closed category on n objects Xi, - ■ ■ , 

Proposition 5.6 (Tan). Let C be a compact closed category, let F : LA x 
(C°P)" ^ C be a multivariant functor such that F(A, A) = 0 • • • G A^, 0 

A^^ 0 • • • 0 A^^ , (where pi,X € {1, . . . , n} for all i) and let a be a collection 
of morphisms a a ■ I F{A,,^ in C. Define F“(A) = A\, 0 • • • 0 A\^ and 
F^{A) = A^j 0- • -0A^, , so that each a a is canonically equivalent to a morphism 
a A ■■ F~{A) F+{A). Then, a is a dinatural transformation in C iff a is a 

natural transformation in C. 
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In view of this observation we can redefine compact closed full completeness 
as: 



A compact closed category C satisfies compact closed full completeness 
if every natural transformation [a~] ^ [^^1 (with |a~],|f+] : 

C" ^ C), is induced by a morphism F~(X) F^(X) in the free 

compact closed category on n objects. 

Theorem 5.7 (Tan). Suppose that we have a multivariant functor F : (GC)"0 
(GC°^)" — ^ GC, such that p : Xi ^ F is a dinatural transformation in GC. If 
Ai, . . . , An, Bi, . . Bn, objects in GC are such that UAi = UBi for all i, then 
U PA = U PB- 

6 Full Completeness in PAC-based Models 

In this section we use PACs to construct models of MLL. Recall that PACs are 
traced symmetric monoidal categories. For any PAC ID, 7nt ID is a compact closed 
category and hence G(/ntlD) is a *-autonomous category. In this way we get a 
class of models for MLL+MIX, which we show are fully complete for MLL+MIX. 
Our models support the MIX rule: /nt 1D(7, 7) = 7nt 1D((7, 7), (7, 7)) = ID(7, 7) = 
{I/}. Hereafter, D denotes a PAC and C denotes InfD. 



6.1 Compact Closed EMU Completeness 

Definition 6.1. A sequent F is balanced if each propositional atom a occurs 
the same number of times as does its linear negation a-^ . The length of a sequent 
F is the number of occurrences of literals in F. 

If F has length p, then we can speak of the position where each literal occurs, 
numbered 1 to p. If F is balanced, and hence p is even, then we can specify 
the axiom links of a cut-free proof structure associated with F by a map (p : 

such that p is a fixed-point-free involution and if a 
propositional atom a occurs in position i, then there is an occurrence of a-^ in 
position p{i). Thus a cut- free proof structure can be specified as {F,p), where 
F is a balanced sequent of length p and p is a fixed-point-free involution on 
{!,• ■ ■ ,p} specifying the axiom links. 

Let F{X_,X) be a formula of length p generated by Ai, . . . A„, A( . . .A* 
using 0. 7^(A, A) induces a multivariant functor |[f| : C" x (C°^)" ^ C, 
which we will refer to as F. Also let ct : A/ F be a dinatural transformation 
from constant 7 functor to F . We can canonically transform a into a natural 
transformation a : F~ F+. Suppose that the component of ct at A is given 
by a A '■ I — *■ F{A, A) where F(A, A) = A^( 0 • • • 0 A^*” with e {1, • • • , n} and 
Ci G {!,*}, [A] is read as Ai). Also let N = = *} and P — {f|Ci = !}• 

The component of if at A is of the form : F”(A) ^ F+(A) where F“(A) = 
Aai 0 • • • 0 Ax„ and F+(A) = A^^ 0 • • • 0 A^, with Ai, pi G {1, 2, • • • , n}. 
Therefore |A| = m and |P| = 1. 
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Lemma 6.2. Let a : F~ — > F+ he a natural transformation as above. Then 
each type variable that occurs in F~ must also occur in F+. Moreover it must 
occur in F+ with the same multiplicity. 

Proof, (idea) The proof of this lemma is prohibitingly long to include here. 
However, the main idea can be sketched as follows. One starts with assuming the 
negation of the conclusion, the naturality conditions written out in the category 
C, then give rise to systems of recursive equations in the components of d. These 
equations are then proven to be inconsistent by double induction on the number 
of equations and summands in each equation. □ 

Proposition 6.3. Let F{X_,X) he an MLL formula of length p generated by 
Xi,...Xn, XI... XI using ®. Let [fI : C” x (C°p)” ^ £ he the induced 
multivariant functor on C. Lf a : JCj ^ is a dinatural transformation, then 
F is balanced. 

Theorem 6.4. a : F~ ^ F+ is a permutation on the tensor factors, i.e. a a ■ 

' B o' 

F~{A) F+(H) is of the form ^ „ where Bi and B 4 are permutation 

U JD 4 

matrices and B 4 = B^ and the permutation 6 € Sm induced by satisfies 
Ti = ^s{i) for i = 1, • • • , m. Here (— )* denotes matrix transposition obtained by 
reflection across antidiagonal elements. 

Proof. Let a : F~ F+ be a natural transformation in C, that is the following 
diagram commutes: 

d'A 

Aai 0 • • • 0 Ax„, ^ 0 • • • 0 A^^ 

/ai 0 • • • 0 /a„, /mi 0 • • • 0 fum 

^ Gb ^ 

Fai 0 • • • 0 Bx„, ^ 0 • • • 0 

Hence, we have (M) = 0 • • • 0 f^„,)aA = ct_b(/ai 0 • • • 0 

/Am) = ®'^^i {M') where M and M' are given below. 

M: 





•• 

Am 


^/m 




^/m • 


•• 

Ml 




fUi A 

/n'^1,1 • 


Pi- 

■ ■ III Gi^rn 




J 12 


fUi A 

111 <Xl,m+l ■ 


fUi A 

■ ■ Jii CTi^2m 




ill <Xm,l ' 
dm+1,1 • 


, . f-r 

Jll 

Gm-\-l,m 


0 

J 12 


0 


Jll ‘ 

Gm-\-l,m-\-l * 


-Pf^m ~ 

'' J 11 ^m,2m 
* * G m+l,2m 


B+ 

h^m 

^Am 


d2m,l 
J 2 I Om,l ' 


G2m,m 
J 2 I ^m,m 


J 22 


0 


G2m,m-\-l 
J 2 I ^m,m+l ‘ 


* * ^2m,2m 

■ ■ J 2 I ^m,2m 


^A. 

K 

h^m 


fUl A 


fMi Pi- 

■ ■ J 2 I ^ l,rn 


0 


0 

fVl 

J 22 


fMi Pi- 

J 21 ^l,m+l ‘ 


fMi Pi- 

■ ' J 2 I 0ri,2m 
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M': 



K ■ 


^Tfl. 


Ki 


••• 


Bx 

A-m. 






^1,1/n • 


rr 

■ ■ 




• • • ^l, 2 m 


rr -F'^^ 


■■ if 1,1/12 






• • (T f^rn 

^ m^mj 11 




^m, 2 m 


?T f^rn 

^m,mj 12 


■ ■ ^m,lfl 2 


Bt^ 




J2I 






-f^m 

J22 






0 


0 




0 


0 


0 




fk 


* * 








rXl 

J22 




dm+1,1/11 ■ 




* * * ^m+l, 2 m 


* * ^m+1,1/12 


B\,r. 




X -f^m 




* * * ^ 2 m, 2 m 


X -f^m 

^ 2 m, mj 12 


* * ^ 2 m,l/i 2 


Bx. 



By instantiating at = 0 for fc, I = 1, 2 for alH = 1, 



Tr{M) = Tr{M'), we conclude that a a is of the form: 



Bi 0 
0 B 4 



• , m and using 
where 



< 


< • 


•• 

Am. 




<Jis 


di,2 • 


■ * 




^2,1 


d2,2 • 


■ * ^2,m 


K. 


dm,l 


dm, 2 * 


^m,m 


A+ 



K 

l-^m 


— 1 






^m+l,m+l ^m+l,m+2 * 


* * ^m+l,2m 


Am 


^m+2,m+l ^m+2,m+2 * 


* * ^ m+2,2m 


^x 

Am — 1 


^2m,m+l 


^2m,m+2 * 


* * ^2m,2m 


Ax. 



Next, let and and f^' be the twist, i.e. f^i = f 22 = 0 

and fi 2 = /21 = 1 for all i = Similarly for ,_B^. and for 

i= 1, • • • , m. We get the following system of equations: 



System I: 





CTl,m • • • CTl,l 




^m+l,m+l * * * 


^ m+l,2m 






NN' = 


d2,m • • • d2,l 




^m+2,m+l * * * 


^m+2,2m 


= antidiag{l, 1, • 


••,1) 




^m,m ’ ’ ’ ^m,l 




^2m,m+l * * * 


^2m,2m 






that is, we have Rf C^' 


= 


1 for j = m — 


1+1 and 0 else, for i = 1, • • 


• , m. 



System II: 
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<^m,l ■ ■ ■ 


^m+2,m+l * * * ^m+2,2m 




^m—1,1 ' ' ' 


_^2m,m+l * * * ^2m,2m 




_ai4 • • • ai^rn 



= antidiag{l, 1, • • • , 1) 



that is Rf Cj’ — liorj = m— i + 1 and 0 else, for i = 1, • • • , m. 
The rest of the proof consists of several steps: 



Step 1: We show that B4 = B|, that is, dij = d2m+i-j,2m+i-i for i,j = 
m + 1, m + 2, • • • , 2m. Note that (— )* denotes the matrix transposition which is 
obtained by reflection across the antidiagonal entries. 

• case 1: dij = l,a 2 m+i-j, 2 m+i-i = 0. Note that = 0 for all k = 

1 , • • • , m, k ^ 2m — j + 1 . dij = 1 implies that d 2 m-j+i,k = 0 for k ^ 2m — i+ 1 , 
however d 2 m-j+i, 2 m-i+i = 0 is given. Therefore, Rf-m = 0 R^m-j+i = 
Rf-m = 0 giving R2m-j+iCf-m = 0; & Contradiction. 

• case 2: dij = 0, CT 2 m+i-j, 2 m+i-i = 1- Note that R^m-i+i^k = ^ for all 

k = I, - ■ ■ ,m, k ^ i — m. d 2 m-j+i, 2 m-i+i = 1 implies di^k = 0 for all k ^ 

j, but dij = 0 is given, hence RfL^ = 0, and R[_^n = RfL^n = 0 giving 

Rf-rn^im-i+i = 0, a Contradiction. 

Hence B 4 = B^. 

Step 2 : There are no all-zero rows or columns in Bi or B4. 

The ith row of Bi is equal to R^ in reverse order, hence it cannot be all 
zero since = 1. Also the jth column of Bi is equal to in reverse 

order and hence it cannot be all zero since R^^i_jC^ = 1 . 

The statement is trivially true for B 4 as B 4 = B|. 

Step 3 : In Bi and B 4 every row and column has exactly one 1. Suppose any 
two elements on the ith row of Bi are 1 ; dij — di^k = 1 for k ^ j with i,j, k G 
{1, • • • , m}. The ith row of Bi = and hence — 0. For example, 

suppose CT 14 = (fi^m = 1, then using system II we see that all the elements on the 
last column of P are zero by just using the fact that = 1. Also d 2 m, 2 m = 0 
because di^m = 1- Note that = 0, a contradiction. 

Also let any two elements on the jth column of Bi be both 1 ; dij = dkj = 1 
for i ^ k with i,j, fc G {1, • • • , m}. The jth column of Bi = and hence 

Rm-j+i — 0 , and as "'v® g®t a contradiction. 

As B4 = Bj, the statement follows for B4. 

Therefore, Bi and B 4 are permutation matrices. Let <5 G Sm be the permuta- 
tion induced by Bi, that is 6 {i) = j iff dij = 1. Then we have dij : A+ = 

1 and d2m+l-J,2m+l-^ ■ A~. ^ A" = 1 and thus = (A+ , A"P = 

for alH = 1 ,- • •,m. □ 

We can view the natural transformation (t_a : ^ .F^(A) as matching 

Aaj(^) to A^. for alH = 1, • • • , m. Hence we have: 

Corollary 6.5 (Ibill Completeness in C). Every natural transformation d : 
— > F+ in C is induced by a unique morphism F~{X) A+(A) in the free 

compaet closed category on n objects Xi, - ■ ■ , A„ with trivial dimension. 
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Note that all objects in C have trivial dimension, i.e. dim{A) = 1/ for all 
objects A in C, since C(I, /) = !!>(/, 7) = {1/}. Therefore, the restriction on 
dimension can be removed: it is tensoring with finitely many 1/ maps, which 
have no effect. Thus 

Corollary 6.6 (EMU Completeness in C). Every natural transformation a : 
F" ^ F+ in C is induced by a morphism F~{2Q F+(X) in the free compact 

closed category on n objects Xi, ■ ■ ■ , Xn- 

Theorem 6.7. Suppose that a is a dinatural transformation in C from Xj to 
the multivariant functor F. Then there exists a fixed-point-free involution Lp on 
{ * * * 5 f} such that 5 C^{i) 7 ^ Ct ■ 

In view of this theorem we see that a determines a unique set of axiom links 
and hence a unique MLL proof structure for the formula F. We will show that 
this proof structure is indeed a proof net. That is, we need to check the Danos- 
Regnier correctness criterion. However, as C(7, 7) = 1D>(7, 7) = {!/}, GC satisfies 
the MIX rule and hence we need only check the acyclicity condition [11, 13]. 

6.2 EMU Completeness in GC 

Given a dinatural transformation >FinGC, we have the specification 

of a unique proof structure because we have the formula F and the axiom links 
are given by the fixed-point free involution cp induced by the dinatural trans- 
formation U p in the underlying compact closed category C = 7nt(D). We show 
that this proof structure is indeed a proof net. For this purpose we only need to 
prove acyclicity as our category GC satisfies the MIX rule. 

Lemma 6.8. Let F{X_,Xf) = Fi(X, X) ® F 2 (X, X) be an object in the free 
compact closed category on n objects Xi, • • • , X„ with trivial dimension and F : 
7 ^ Fix, X) be a morphism. Suppose also that the induced fixed-point free 
involution ip does not make a matching between formulas in F\ and those in F 2 , 
then F = A ® T 2 where A : 7 ^ F 2 : I ^ A(X. X). 

Theorem 6.9 (Acyclicity). Suppose that p is a dinatural transformation in 
GC from the constant functor X± to F. Consider the unique proof structure as- 
sociated with p. Then for any DR-switching, the associated DR-graph is acyclic. 

Proof. Suppose that for a certain DR-switching, the associated DR-graph con- 
tains a cycle. Express the shortest cycle as lower connected pairs (ai,&i),---, 
{Ur, br) where <p(bi) = Ui+i for all i G Z^.. Recall that a lower connected pair in a 
proof structure is a pair of formulas that are connected with paths not traversing 
any axiom links [25,26]. Using the weak distributivity natural transformations, 
binary MIX morphisms and associativity and commutativity natural transfor- 
mations for par and tensor [9] , we transform the given dinatural transformation 
p into p : Xi ^ F such that the cycle is preserved, where p^: 1 ^ FiA^Ai) and 

f{A,A) = Fa^ 

The procedure is as follows (see also [31] and [2]): 
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— If a fragment of F has the form A ® {B C), and A and B are lower 
connected, then the switching must have assigned left to the par-link in 
question. In this case, we compose p with a natural transformation built 
from 

— If A and C are lower connected, then the switching must have assigned right 
to the par-link. In this case, we compose with a natural transformation built 
from 

— We apply binary MIX, commutativity and associativity, whenever necessary 
to separate out each lower connected pair. 

Consider the test object A = {A, {0^-^+}, {0^+^-}) where A = (A^,A~) ^ 
(/, T) and A+ = A~ . Hence = A. Put Ai = A for i = 1, • • • , n. In what follows 
there is no need to put C- superscripts as M = A~^, however we have included 
these for clarity. 

Notice that U{pA) = fi f 2 , fi ■ I Fa and f 2 ■ I ^ 0 

• • • 0 0 because the part in F{A,Af) consisting of par product of 

tensored pairs is closed under the axiom link matchings induced by any dinatural 
transformation. Therefore, we have that /2 must lift to a morphism in GC from 
1 to 0 ^ ^ 0 M'’'”'). 

Hence /2 G 0 M^'’i) ^ ^ 0M'’'”-))s- 

0 ^ ^ 0 ))s = 

0 )-^ 0 • • • 0 0 )-^)t = 

GC((M'^“i 0 M'^'>i)-L 0 . . .0 0 ^'^'”')) 

Now consider 0M'”'’i )-*- 0 - • •0(M'’“’’-i 0 M'’'’’’-i )-*-)s = {cti 0 - • • 0 CTi._i | 

CTi G 0M^“«)^}. 

Notice that 0 0M'”^«)t = GC(M, M) and hence 1a G 

0 A‘’‘’i and therefore 0 • • • 0 G 0 )■*“ 0 • • • 0 i 0 

r— 1 times 

)-*-)g. On the other hand, {A‘'°-^ 0M'’'”' )« = {0}. Now by definition, / 20 a G 
0 = {0} for all a G 0 0 • • • 0 1 0 M'”'’’— 1 

and hence f 2 — 0 which yields a contradiction because such a morphism cannot 
induce any axiom links. □ 

Theorem 6.10 (EMU completeness in GC). Every dinatural transformation 
in GC from the constant functor 1C ± to the multivariant functor F is the denota- 
tion of a unique cut- free proof in MLL-pMIX of the formula F, and is therefore 
induced by a unique morphism 1 ^ F{X_,]C) in the free *-autonomous category 
supporting the MIX rule, on n objects Xi, X 2 , • • • , X„. 

We conclude this section by stating a negative result for the class of categories 
GC with C = Int{W) and D a PAG. Suppose we choose to use the traditional 
categorical semantics framework [24]. That is, formulas of MLL are objects in 
GC and proofs are morphisms. Then we show that GC fails to be fully complete 
for MLL. 

Theorem 6.11. Let be a PAG and C = IntfD), interpret the formulas of 
MLL as objects in GC and the proofs as morphisms. Then, GC is not fully 
complete for MLL. 
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Proof. Let A = {A, As, At) be an object in GC with A = {A^,A~) and A+ = 
A~ . Also, let As = At = Note that A 0 A^ is not an MLL provable 

formula. We show that there exists a map / : 1 ^ A 0 A~^. Let f : I ^ A® A* 
be Ia+!^a+- Recall that Ig = {!/} and therefore fa = f& (A0 A"*“)s for all 
a G Ig. Recall that {A 0 A^)t = GC(A, A) and hence {A 0 A^)t ^ 0- To 
conclude the proof, we need to show that (if = li for all /3 G (A 0 A^)t, but 
(if : I ^ I in C and C(/, I) = {!/}, therefore (if = 1/ and thus (if G 1* for all 
/3G(A0A-^)t. □ 

7 Conclusion and Future Work 

We have shown how to construct models of MLL, i.e. *-autonomous categories 
based on PACs. We made use of the Int and double glueing constructions to get 
such models. We also proved that such models are fully complete for MLL+MIX. 
The techniques we have used are general enough to allow us to prove that for a 
traced Unique Decomposition Category [15, 16] D, G(/n®) is fully complete for 
MLL + MIX. We have not included this result due to lack of space, for details 
see [15]. 

A major problem is to extend full completeness to different fragments of 
linear logic (e.g. additives, exponentials.) Game-theoretical models have recently 
become a major tool in this area. We intend to unify these models with the ones 
studied in this paper and author’s thesis [15]. Current results by several research 
groups appear amenable to an abstract and axiomatic approach which is yet 
to be developed. First steps towards such an approach were taken by Hyland, 
Abramsky and their colleagues and students. Recently Abramsky and Mellies 
announced a novel game-theoretic full completeness result for the multiplicative 
and additive fragment of linear logic. Current work aims to give new non-game- 
theoretic fully complete models for the multiplicative and additive fragment of 
linear logic. 
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Abstract. The expressive power of functional programming can be im- 
proved by identifying and exploiting the characteristics that distinguish 
data types from function types. Data types support generic functions 
for equality, mapping, folding, etc. that do not apply to functions. Such 
generic functions require case analysis, or pattern-matching, where the 
branches may have incompatible types, e.g. products or sums. This is 
handled in the constructor calculus where specialisation of program ex- 
tensions is governed by constructors for data types. Typing of generic 
functions employs polymorphism over functors in a functorial type sys- 
tem. The expressive power is greatly increased by allowing the functors 
to be polymorphic in the number of arguments they take, i.e. in their un- 
ties. The resulting system can define and type the fundamental examples 
above. Some basic properties are established, namely subject reduction, 
the Church-Rosser property, and the existence of a practical type infer- 
ence algorithm. 



1 Introduction 

Generic programming applies the key operations of the Bird- 

Meertens style, such as mapping and folding to a general class of data struc- 
tures that includes initial algebra types for lists and trees. Such operations are 
at the heart of data manipulation, so that any improvement here can have a 
major impact on the size of programs and the cost of their construction. Most 
treatments of generic programming either focus on the semantics jIVI KPHlj . or 
use type information to drive the evaluation j, 1,1(171, la, nOilHinnni . Functorial ML 
(fml) fiMHH) showed how evaluation could be achieved parametrically, without 
reference to types, but was unable to define generic functions and so had to repre- 
sent them as combinators. Such definitions require a better understanding of data 
structures that demonstrates why pairing builds them but lambda-abstraction 
does not. The usual approach, based on introduction-elimination rules for types, 
does not do so as it derives both pairing and lambda-abstraction from introduc- 
tion rules. As data structures are built using constructors, the challenge is to 
account for them in a new way. This is done in the constructor calculus. 

Generic programs are polymorphic in the choice of structure used to hold the 
data. A second challenge is to represent this polymorphism within a type system. 
This requires an account of data types that demonstrates why the product of 

S. Abramsky (Ed.): TLCA 2001, LNCS 2044, pp. 217 -^^ 2001. 
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two data types is a data type but their function type is not. The functorial 
type system will represent a typical data type as the application of a functor 
F (representing the structure) to a type (or tuple of types) X representing the 
data. Functor applications are the fundamental operations for constructing data 
types, in the sense that function types are fundamental for constructing program 
types. Quantification over functors will capture polymorphism in the structure. 

This last statement is a slight simplification. Different functors take differ- 
ent numbers of type arguments, and produce different numbers of results. This 
information is captured by giving functors kinds of the form m ^ n where m 
and n are the arities of the arguments and results. Further, a typical functor is 
built from a variety of functors, all of different kinds. It follows that a typical 
generic function cannot be defined for functors of one kind only, but must be 
polymorphic in arities, too. The inability to quantify over arities was the biggest 
drawback of fml, whose primitive constants came in families indexed by arities. 

In its basic form, the resulting system supports a large class of concrete 
data types whose terms, built from the given (finite) set of constructors, can 
be handled by generic operations. In practice, however, programmers need to 
define their own (abstract) data types. If these contribute new constructors then 
it is not at all clear how generic functions can be applied to them without 
additional coding. For example, when a new data type is defined in Haskell 
then the various fragments of code required for mapping, etc. are added 
by the programmer. This is better than re-defining the whole function but it is 
still something less than full genericity. 



>-| > datatype tree{a, b) = leaf a \ node b : tree{a, b) : tree{a, b ); ; 

> — I > let tr = node 3.1 (leaf 4) (leaf 5); ; 
tr : {tree :: 2 — > l)(int, float) 

node 3.1 (leaf 4) (leaf 5) 

> — I > let / a; = a; + 1; ; 

/ : int — >• int 

> -\ > \et g y = y* . 3.0;; 
g : float — >■ float 

> — I > let tr2 = map2 f g tr-,-, 
tr2 : {tree :: 2 — >■ l)(int, float) 
node 9.3 (leaf 5) (leaf 6) 

> — I > let trS = plus tr tr; ; 
trS : {tree :: 2 — >■ l)(int, float) 
node 6.2 (leaf 8) (leaf 10) 



Fig. 1. Examples of generic programming in FISh2 

The solution adopted here is to create the abstract data structures by tag- 
ging the underlying concrete data structures with the appropriate names. Since 
naming can be treated in a uniform fashion, we are able to apply existing generic 
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programs to novel datatypes. FigureQcontains a (tidied) session from the imple- 
mentation of FISh2 language that illustrates some of these ideas. Lines beginning 
with >- 1 > and ending with ; ; are input by the programmer. The others are re- 
sponses from the system. A datatype of binary trees is declared. This introduces 
a new functor tree which takes two arguments, tr : tree(int, float) is a small 
example of such a tree. tr2 is obtained by mapping the functions / and g over 
tr. The generic function map2 is a specialised form of the generic function map 
whose type is given in 0 in Section II .21 Note that even though trees are a new 
kind of data structure the mapping algorithm works immediately, without any 
further coding. The session concludes with an application of the generic addition 
function plus which is able to handle any data structure containing any kind of 
numerical data such as integers and floats. 



let equal x y = 
match {x, y) with 
un, un — > true 

I (®o, 2:1), (t/o, yi) -t (equal xq yo) && (equal xi yi) 
I ini a;o,inl yo — t equal xo yo 
I inr Xo, inr yo — t equal xo yo 
I _ — ^ false 



Fig. 2. Equality by generic patterns 



1.1 The Constructor Calculus 

Consider a generic equality function. Intuitively, two data structures are equal 
if they are built using the same constructor and the corresponding constructor 
arguments are equal. Figure|3 presents a fragment of pseudo-code which employs 
the desired style for just three kinds of data structure, un is the unique value of 
unit type, (a:o,a;i) is the pairing pair xq xi of xq and xi and ini and inr are the 
left and right coproduct inclusions (&& is the conjunction of booleans). These 
are not actually primitives of the constructor calculus but are familiar terms 
that will serve here to illustrate the principles. The actual program for equality 
is given in Figure ^ 

Some such algorithm is supported by the equality types in Standard ML 
[IMThlj . It is not, however, typable as a program in ML because the patterns for 
un, pair and ini have incompatible types. Generic pattern-matching must be able 
to branch on any constructor, of any type. This requirement generates a cascade 
of challenges for the construction of the terms themselves, and more especially 
for the type derivation rules. 
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Generic pattern-matching can be represented by iterating a particular form 
of case analysis called function extension 

under c apply / else g 



where c is a constructor, / is the specialisation function applied if the argument 
is built using c and g is the default function. Its application to a term t may 
be written as under c apply / else g to t. For example, the equality defined in 
Figure 13 can be de-sugared to a series of extensions that ends with 

under inr apply Axq. under inr apply Aj/o-(equal Xq yo) else Aj/. false 
else Ax, j/. false. 

The specialisation rule is 

under c apply / else g to c to ■ ■ • tn-i > f to ■ ■ ■ ^n-i (1) 



where n is the number of arguments taken by the constructor c. The default rule 
is 

under c apply / else g to t > g t if t cannot be constructed by c. (2) 



It applies if t is constructed by some other constructor or is an explicit function. 
Unlike most other approaches to generic programming, e.g. jAGPFDhlHinnflj . 
evaluation does not require explicit type information. 

A type for this extension is given by a type for the default function g : T — ?> T'. 
If extension were like a standard case analysis or its underlying conditional then 
the same type constraints would also suffice for /. However, / need only be 
applied to terms t constructed by c. If c has given type scheme 



c : \/Ac.Tq — ^ . . . — Tn-i — >■ Tn 



then specialisation to / is possible whenever and T have been unified by 
some substitution, without loss of generality their most general unifier v. Hence 
/ must have type v{Tq Tn-i — >■ T'). 

For example, the type of equal is the type of its ultimate default function 

Ax. Ay. false : A — >■ F — >■ bool 

where bool is a type representing booleans, say 1-1-1. The various specialisations 
take different types. For un it is F — >■ bool (as un takes no arguments). For 
pair : Xq — >■ Xi — >■ Xq * Xi it is Xq — )> Xi Y bool. For ini : Xq — )> Xq -|- Xi 
it is Xq — >■ F — >■ bool. 

Several points emerge from this discussion. First, constructors have an asso- 
ciated type scheme which must be principal (most general) for specialisation to 
preserve typing. Second, the type derivation rules rely on the existence of most 
general unifiers. Third, the definition of generic equality employs polymorphic 
recursion, e.g. recursive calls to equal are instantiated to product and coproduct 
types etc. 




Distinguishing Data Structures and Functions 



221 



Several conclusions can be drawn from these observations. The need for most 
general unifiers is not an onerous restriction in practice, but their existence 
cannot be guaranteed if type schemes 'iX.T are considered to be types, as in 
system F inniMi- Hence type schemes and types must be kept in separate 
classes. In other words, data types cannot here be reduced to functions and 
quantification. Also, the presence of polymorphic recursion means that not every 
term will have a principal type scheme Einsi- As constructors are required 
to have them it follows that constructors must be distinguishable from terms 
in general. Concerning type inference, we shall see that there is powerful and 
practical type inference algorithm, which only requires types to be given when 
defining generic functions (which is probably a good thing to do anyway) but 
not when applying them. 



1.2 Ftinctorial Types 

Now let us consider the the data types. It has long been recognised that data 
types can be understood semantically as the application of a functor to a type 
mm . Very briefly, a functor F : C ^ V between categories C and T> sends each 
arrow (or function) f : X ^ Y of C to an arrow F f : FX — >■ FY of 21 in a way 
that preserves composition of arrows and their identities. F f is the mapping of 
/ relative to F. There have been several approaches to representing functors in 
programming languages starting with Charity KWWH . Basically, they can be 
represented either as type constructors or treated as a new syntactic class similar 
to the types. 

The former approach is less radical, and can be incorporated into existing 
languages relatively easily, e.g. Haskell supports a type class of functors. It does, 
however, have several limitations. First, there are type constructors which are 
not functors. Hence, many operations, such as mapping, cannot be applied to an 
arbitrary type constructor. For example, the type constructor that takes X to 
X — I A is contravariant in the first occurence of the type X so that to produce 
a function from X ^ X to Y — i V would require a function from V to X as 
well as one from X to V. 

Second, and more fundamental, is the difficulty of determining where the 
boundary between the structure and the data lies. If the function / is to be 
mapped across a term of type GFX then it is not clear if / is to be applied to 
values of type X or to values of type FX. This can only be resolved by explicit 
type information at the point of application, which could be quite onerous in 
practice. 

A third problem concerns handling data structures that contain several kinds 
of data. This would be easy if one could first define mapl for functors of one 
argument in isolation, and then map2 for functors of two arguments, etc. but the 
presence of inductive data types like lists and trees make it necessary to handle 
simultaneously functors of arbitrary arity. For example, mapl / applied to a list 
cons h t introduces map2 (/, mapl /) (h,t)- In the simplest cases the problem 
can be avoided by providing a function pmap for mapping over polynomials in 
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two variables |,lav95ap,l,l97| but one can easily construct examples which require 
mapping of three or more functions. 

The alternative approach, of introducing functors as a new syntactic class, 
was introduced in fml. Now mapping is always defined, and functor composition 
is explicit, so that {GF)X and G{FX) are distinct types with distinct behaviour 
under mapping. Unfortunately, the system required explicit arity constants for 
functors and combinators which was onerous for programming. Now the func- 
torial type system supports arity variables and polymorphism in the arities of 
functors, as well as in the functors themselves. For example, the binary product 
functor is replaced by a finite product functor P :: m — >■ 1 where m is an arbi- 
trary arity. In general, a functor F has kind m ^ n where m and n are both 
arities. When m — >■ n is 0 — >■ 1 then F is a type. When m is 0 then F is an 
n-tuple of types. The same arity polymorphism appears in terms, e.g. the family 
of mapping combinators map™ of fml have been replaced by a single generic 
function 



map : Vn.VF n ^ 1, X y. n,Y n. P{X -^Y) ^ FX ^ FY (3) 

which is polymorphic in the choice of functor F and its arity n as well as the 
argument types represented by the tuples X and Y . Kind inference means that 
it is rarely necessary to specify the kinds explicitly. 

There is an ongoing tension between the functors, as representatives of data 
structures, and types, as representative of executable programs. Of course, func- 
tion types are not data types: we cannot define a meaningful equality or mapping 
over them. (If we treat lambda-binding as a constructor then we derive mere 
syntactic equality of functions). So we must consider how to relate a system of 
functors, for building data types, with a type system designed to support pro- 
gramming with functions. In FML the functors and types are kept in separate 
syntactic classes. Here, the need for variables that represent tuples of types (of 
variable arity) drives us to regard both types and tuples of types as special kinds 
of functors. Note, however, that only types will have associated terms. That is, 
if t is a term whose type is the functor F then F :: 0 — 1. 

So the tension has shifted to the status of the functor of functions F ^ G. 
When X and Y are types then of course X — >■ K is a type. More generally, if 
X and Y are n-tuples of types then so is X — >■ K as when typing map above. 
Category theory is able to provide some guidance for the general situation. The 
appropriate notion of arrow between functors is a natural transformation. A 
natural transformation a : F — >■ G between functors F, G : C ^ T> is given by a 
family of arrows ax : FW — >■ GX indexed by the objects of C such that for each 
arrow f : X ^ Y of C we have Gf .ax = ay-F f. This is a kind of parametricity 
condition mm - 

The definition of the exponential, or function object, in a category can be 
generalised to define an object in T> that represents the natural transformations 
from F to G |J ay96| . Thus, if F, G : : m ^ n are functors in our system then 
F — >■ G : 0 — >■ n is the functor of functions from F to G. When m is not 
necessarily 0 we may call this the functor of natural transformations from F to 
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G and describe its terms similarly. Note that the function functor never takes any 
arguments. If it did then we would run into the contravariance problem again. 
There is a certain similarity between the type F — >■ G and the type scheme 
MX.FX — )> GX. However, the type of map shows that F ^ G may appear 
within types where type schemes would not be allowed. 

When X and Y are types then terms of type X ^ Y can be built by lambda- 
abstraction in the usual way. This will not work for arbitrary functors F, G :: 
m — > n as in general there are no terms of type F or G to be manipulated. 
However, applying the finite product functor F :: n — >■ 1 yields the type F(F — ?> 
G) :: 0 — >■ 1 which may have terms given by tuples of functions, as in the first 
argument to map above. 

At this point we are able to answer the two original questions. The data 
types are the types built from functors that do not employ the function type 
constructor. The constructors are the introduction symbols for these functors. 
They are able to support the extension mechanism that is used to define generic 
functions. 



1.3 Additional Constant Functors 

We shall consider two additional features that improve the expressive power 
of the constructor calculus. The first provides machinery necessary to support 
functors for abstract data types, like tree in Figure ^ The second is introduction 
of datum types for integers, floats, etc. Both must be introduced in a way that 
supports generic programming. 



1.4 Contents of the Paper 

The focus of this paper is to introduce the machinery necessary for this approach 
to generic programming with enough examples to illustrate its power. However, 
we shall also prove a number of standard results: the existence of most general 
unifiers; that reduction preserves typing; and reduction is Church-Rosser. Also, 
the calculus supports a powerful type inference algorithm. 

The structure of the paper is as follows. Section 0 introduces the arities and 
kinds. Section 0 introduces the functors and types and their constructors. Some 
simple examples of functors, including lists and binary trees will be produced 
along the way. Section 0 introduces the full term language, including the ex- 
tensions. Section 0 introduces the reduction rules and establishes that reduction 
satisfies subject reduction and is Church-Rosser. Section0introduces a construc- 
tor for creating exceptions (as when taking the head of an empty list) which can 
then be handled by extensions. Section 0 provides examples of generic functions, 
including programs for equality, mapping and folding. Section 0 develops an ef- 
fective type inference algorithm. Section 0 introduces tagged terms for abstract 
data types. Section nTH introduces the datum types. Section fTT! draws conclusions 
and looks to future work. 
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2 Kinds 

Tuples of types will be characterised by their arities. The absence of any types is 
represented by the arity 0, a single type by the arity 1. The pairing of an m-tuple 
and an n-tuple of types will have arity (m,n). Hence the arities are generated 
by 

m, n ::= a | 0 | 1 | (m, n) 

where a is an arity variable. We will informally denote (1, 1) by 2. Note, however, 
that 3 would be ambiguous as (2, 1) and (1, 2) are distinct arities (as are (m, 0) 
and to). The importance of this distinction is that we will be able to index types 
within a tuple by a sequence of lefts and rights instead of by an integer, and so 
will only need a pair of constructors instead of an infinite family. 

The kinds (meta-variable k) are used to characterise the functors. They are 
of the form m ^ n where to and n are arities. If T" is a functor that acts on 
TO-tuples of types and produces n-tuples of types then it has kind to — >■ n. 



3 Functors and Their Constructors 

A single syntactic class represents both functors in general and types. Each 
functor F has an associated kind k, written F :: k. The types are defined to 
be those functors T whose kind is T :: 0 — >■ 1. We shall use the meta- variables 
F,G and F[ for functors and T for types. When F :: 0 — >■ n then it is a tuple 
of types and we may write its kinding as F : : n. If all the functors involved in 
an expression are types we may omit their kinds altogether. The type schemes 
(meta-variable S) are obtained by quantifying types with respect to both arity 
variables and kinded functor variables. The functors and raw type schemes are 
formally introduced in Figure El Let us introduce them informally first. 

The functors (stripped of their kinds) and type schemes are given by 

F, G, T ::= A I F I C I F I (F, G) I F I i? I G F I /rF I F ^ G 
5 ::=T I VA :: k.S \ Wa.S 

X represents a functor variable. The finite product functor P has kind P :: 
TO — >■ 1 for any arity to. When to is 0 then F is a type, namely the unit type. Its 
constructor is 

intrU : F. 

Unfortunately, the constructors do not yet have descriptive names. When to is 
1 then F is the unary product. Its constructor is 

intrE : VA. A ^ FA. 

When TO is (p, q) then its constructor is 



intrF : Vto, n.VA :: to, Y :: n. PX ^ PY ^ F(A, Y). 
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Thus, the usual, binary pairing is given by pair x y = intrF (intrE a;) (intrE y). 
The intrE’s convert raw data into simple data structures (one-tuples) which are 
then combined using intrE. We may write (x,y) for pair x y from now on. 

The finite coproduct functor C :: to — > 1 is dual to the product. When to 
is 0 then C is the empty type, and has no constructor. When to is 1 then the 
constructor is 

intrC -.MX.X ^ CX. 

When TO is (p, q) then the coproduct has two inclusions 

intrA : 'im,n.'iX :: m,Y :: n. CX — >■ C{X,Y) 
intrB : \/m,n.\/X :: m,Y :: n. CY — >■ C{X^Y). 

The usual inclusions to the binary coproduct may thus be written as ini a; = 
intrA (intrC x) and inr y — intrB (intrC y) 

The functors P and C convert tuples of types into types. Now we must con- 
sider how to build the former. First we have empty tuples of types, constructed 
by the kill functor K :: to — >■ 0. It is used to convert a type T into a “constant 
functor” that ignores its argument. Its constructor is 

intrK : Vto.VAT :: 1,Y r. m. X ^ {XK)Y. 

For example, the empty list is built using intrK intrU : {PK){A, X) where A is 
the type of the list entries and X is the list type itself. 

li F :: p ^ m and G :: p ^ n are functors able to act on the same arguments 
then their pairing is {F, G) :: p — > (to, n). There are no constructors for pairs of 
functors as they are not types. Rather, we shall have to adapt the constructors 
to handle situations in which functor pairing is relevant. 

Corresponding to functor pairing we have left and right functor projections 
L :: (to, n) ^ m and R :: (to, n) ^ n with constructor^ 

intrE : Vto, n.VF :: to — >■ 1, X :: m^Y :: n. FX — ?> {FL){X, Y) 
intrR : Vto, n.VF :: n ^ 1, X :: to, T :: n. FT ^ {FR){X, Y). 

They are used to introduce “dummy” functor arguments. For example, to build 
leaf x : tree{A, B) from some term x \ Awe begin with 

intrE (intrE (intrE a:)) : {{PL)L) {{A, B),tree{A, B)) 

to convert it into a data structure built from data of type A, B and tree{A, B). 
Application of intrE introduces a functor application which supports the two 
application of intrE. Note that were F to be elided from the type of intrE then 
the outermost application above would fail. 

The Finding of L and R is made possible by the way the arities are structured. 
For example, we have LL{2, 1) — >■ 1. By contrast, in fml arities are given by 



^ In earlier drafts there were four constructors here. The original intrE and intrR have 
been dropped and their names taken by the other two. 
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natural numbers which must then be used to index the projection functors such 
as Tig :: 3 — >■ 1. This indexing then leaks into the term languages, with onerous 
results. 

If T’ :: TO — >■ n and G :: n ^ p are functors then GF :: m — >■ p is their 
composite functor. When T’ is a type or tuple of types then we may speak of 
applying G to F. Composition associates to the right, so that GFX is to be read 
as G{FX). The associated constructor is 

intrG : 'imXG :: 1 ^ 1, F :: m ^ 1, X :: m. G{FX) — >■ {GF)X. 

The restriction on the kind of G is a consequence of the tension between functors 
and types discussed in the introduction. It is necessary to be able to define func- 
tions like map in Sectional We also need a constructor for handling composites 
involving pairs of functors, namely 

\ntrH :\frnm ::2 ^ 1, F ::to 1, G ::to l.Xr.m. H{FX,GX)^{H{F,G))X. 

With the structure available so far we can construct arbitrary polynomial func- 
tors. Now let us consider their initial algebras. For example, lists with entries of 
type A are often described as a solution to the domain isomorphism 

given by pxA + A * X. Here px indicates that the smallest solution to the 
domain isomorphism is sought, i.e. the inductive type or initial algebra for the 
functor F where F{A,X) = 1 + A* X. We can represent such an F as follows. 
H * X is just P{A, X) and 1 becomes P which becomes {PK){A, X). Thus F = 
G{PK,P) :: (1, 1) — >■ 1. Now we must represent the initial algebra construction. 
Instead of introducing a type variable X only to bind it again, we adopt the 
convention that it is the second argument to the functor that represents the 
recursion variable. That is, if F :: (m,n) — >■ n then pF :: m ^ n. For example, 
listp = pG{PK, P) :: 1 — >■ 1 is a functor for lists. The corresponding constructor 
is 

intrl : 'imXF :: (to, 1) — >■ 1, X :: to. F{X, (pF)X) — ?> {pF)X. 

Binary trees can be represented by the functor p {PL)L+{PR)L*{PR*PR) 
called treCc where {PL)L represents the leaf data, {PR)L represents the node 
data and PR represents the sub-trees. 

Let us consider functions between functors, or natural transformations. If 
F :: m ^ n and G :: m ^ n are functors of the same kind then F — >■ G :: 0 — >■ n 
is their function functor. If X and Y are types then we can build lambda-terms 
A(a; : X).{t : T) : W — >■ F in the usual way but Xx is not a data constructor in 
the formal sense employed here. 

We can recover a type from F — >■ G : : 0 — >■ n by applying the product functor 
F :: n — >■ 1 to get F(F — >■ G) (as appears in the type for map). Can we build any 
terms of such types? If /i : W — t for i = 0, 1 then there is a pair 



(/o,/i)::F(Xo^Fg,Xi^Fi) 
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whose type is structurally different to P{{Xq,Xi) — >• (Fo,hi)). The solution 
adopted is to exploit semantic insights and assert the type identity 

(Xo,Xi) ^ (ro.Fi) = (Xo ^ Yo,Xi ^ Fi). 




Fig. 3. The functorial type system 



A functor context A; A is given by an arity context A and a finite sequence 
A of distinct functor variables X with assigned kinds m ^ n where n is not 
of the form (p, q) . This restriction arises because type inference for program 
extensions requires fine control over the effects of substitutions. The key case 
is when an arity variable n is replaced by a pair (p, q) and there is a functor 
variable A :: m — >■ n. To ensure that the arity substitution has achieved its full 
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effect X must be replaced by (Y,Z) for some fresh variables Y :: m ^ p and 
Z :: m ^ q. Write dom(Z\) for the set of functor variables appearing in A. 

We have the following judgement forms concerning functor contexts, functors 
and constructors. A; A \~ asserts that A; A is a well-formed functor context. 
A; Ah F :: k asserts that F is a well- formed functor of kind k in functor context 
A; A. A; A \- S asserts that S' is a well-formed type scheme in functor context 
A; A. The judgement h c : S asserts that the constructor c has type scheme S. 
We shall often write the context as A leaving the arity context A implicit, and 
may write A h::: m when A h::: m. 

The free and bound variables of a functor or scheme are defined in the usual 
way. Type schemes are defined to be equivalence classes of well-formed raw type 
schemes under a-conversion of bound variables. 

A functor substitution a is given by an arity substitution Ua and a partial 
function cry from functor variables to functors. Let A] A and A'\A' be well- 
formed functor contexts. Define cr : A; Z\ — ?> A'\ Z\' if tJa : A — >■ A' and dom(Z\) 
is contained in the domain of cry and further if A{X) = k then A' h aa<JfX :: 
aak. That is, cr preserves kinds. Note that if n is an arity variable such that 
cTain) = {p, q) and X : m ^ n then cry(A) must be some pair (F, G) because the 
variable X cannot have kind m — >■ (p, q) in A' . The image of a is the set of arity 
variables and the set of functor variables that are free in arities (respectively 
functors) of the form au where u is a variable in the domain of a. The action 
of such a cr extends homomorphically to any expression that is well-formed in 
context A (including those to be defined below). Composition is defined as for 
arity substitutions. 

Lemma 1. If A\- J has a derivation and a : A ^ A' is a functor substitution 
then A' h aJ also has a derivation. 

Proof. By induction on the structure of J . 

The most general unifier U{F,G) of a pair of functors is defined as usual. 

Theorem 1. Let A\- F :: k and Ah G :: k' be well- formed functors. If F and 
G have a unifier then they have a most general unifier. 

Proof. The proof is not quite standard. Note that if arity substitution causes 
a functor variable X to have kind m — >■ (p, q) then X must be replaced by a 
pair of functor variables. Also, when unifying Fq — ?> Fi and (Go,Gi) then let 
Xq,Ai,A 2 and X^ be fresh variables and unify Fq with (Xq,Xi) and Fi with 
(X 2 , A 3 ) and Go with Xq — >■ X 2 and Gi with Ai — >■ A 3 . 



3.1 Denotational Semantics 

The denotational semantics of these syntactic functors is defined as follows. Let 
F be a cartesian closed locos IGoc90lJav95bl . These include all toposes that have 
a natural numbers object, such as Set or the effective topos |Hyl82|, and also 
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categories used in domain theory such as w-complete partial orders. They can be 
thought of as a minimal setting in which both lists and functions are definable. 

The denotational semantics of the type schemes has not yet been developed 
but should prove amenable to the methods developed for FML |,lfjM98| . 

3.2 Kind Inference 

A binding for an unkinded functor is a functor context A; A and a kind k 
such that A] A F :: fc. It is a principal binding for F if for any other binding 
A' ; A' \- F :: k' there is an arity substitution a : A —)■ A' such that ak = k' . 

Theorem 2. If an unkinded functor F has a binding then it has a principal 
binding. 

Proof. The kind inference algorithm W follows Milner’s algorithm uniHi. 

Algorithm W takes a four-tuple {A,A,F,k) and tries to produce an arity 
substitution a : A ^ A' such that A'; a A \- F :: ak. We initialise the choices of 
A, A and k with fresh variables as follows. 

Assign each functor variable X in F a kind whose source and target are 
fresh kind variables. Let A be some sequence of these kind variables and A be 
some sequence of the kinded functor variables created above. Let fc = m — >■ n be 
another fresh kind. 

The algorithm proceeds by induction on the structure of F. The proofs that 
a produces a principal kind follows the same pattern. Here are the cases. 

1. F is a functor variable X. Then a — U{A{X), k). 

2. F is (G, H). Let no and n\ be a pair of fresh arity variables. Let 

V : A ^ A' = U{n, (no, ni)) 

(Ti : A' — >• A" = W(A', vA, G, v{m — >■ no)) and 

02 : A" — >• A'" = W(A", oivA, H, oiv{m — >■ ni)). 

Then a is a 20 iv. 

3. F is /rG. Then a = W(A, Z\, G, (m, n) — >■ n). 

4. F is Fo — >■ Fi. Let m and n be fresh arity variable and let 

n : A — >■ A' = U{k, 0 — ?> n) 

CTi : A' — >• A" = W(A', vA, Fq, m ^ n) and 
CT 2 : A" ^ A'" = W{A",aivA,Fi,m^ n). 

Then a is a 20 iv. 

5. F is a constant of kind k' . Then cr is G(/c, fc'). 

4 Terms 

The raw terms are given by 

t ::= X \ 1 1 \ Xx.t I let a; = t in t I fix(Aa;.t) | c | under c apply t else t. 
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X is a variable. The application, A-abstraction and let-construct all take their 
standard meanings. Let g.f be notation for Xx.g{f x). The fixpoint construct 
supports fixpoints with respect to a type scheme instead of a type, i.e. poly- 
morphic recursion. We shall often use explicit recursion to represent fixpoints. 
For example, a declaration of the form f x = t where / is free in t stands for 
fix (Xf.Xx.t). A term of the form c to ... tn_i where c is a constructor taking n 
arguments is constructed by c. The lambda-abstractions, extensions and partially 
applied constants are collectively known as explicit functions. 

A term context T is a finite sequence of term variables with assigned type 
schemes. A context A; A; F consists of a functor context A; A and a term context 
r whose type schemes are all well-formed with respect to A; A. The set of free 
functor (respectively, arity) variables of T is given by the union of the sets of free 
functor (respectively arity) variables in the type schemes assigned to the term 
variables in F. 

The closure closure(T', T) of a type T with respect to a term context F is given 
by quantifying T with respect to those of its free arity and functor variables which 
are not free in F (the order of variables will not prove to be significant). 

We have the following judgement forms concerning term contexts and terms. 
A\F\- asserts that Z\; T is a well-formed context. A\F \- t \ T asserts that t 
is a term of type T in the context A; F. The type derivation rules for terms are 
given in Figure 0 Let us consider them now in turn. 

If X is a term variable in F then it can be treated as a term typed by any 
instantiation of its type scheme, as given by a substitution a from its bound 
variables to the functor context. Similarly, any constructor c can be treated as 
a term. The rules for application, lambda-abstraction and let-construction are 
standard. 

The main premise for polymorphic recursion equips the recursion variable 
X with a type scheme whose instantiation will provide the type of the resulting 
term. This means that x may take on many different instantiations of this scheme 
in typing the recursion body, e.g. equal may act on many different kinds of 
structures. Of course, this will limit the power of type inference, because of the 
wide range of possible type schemes that can produce a given type. 

The default behaviour of a term under c apply ti else O is that of t 2 - Hence 
any type for the whole extension must be a type T — >■ T' for O- In a standard 
case analysis or conditional, ti would be required to have the same type as t 2 
but here different cases may have different types, depending on whether the 
argument is a pair, an inclusion (of coproduct type), a list, etc. That is, each 
case must be typed in a context that includes local type information that is not 
relevant to the overall type. More precisely, if the extension is applied to a term 
constructed by c then its type will be an instantiation of both the result type 
of c and the argument type T of ^ 2 - In other words, it is an instantiation of the 
most general unifier v of T„ and T. Thus when the specialisation is invoked the 
extension need only have type v(T — >■ T') and so ti (which acts on the arguments 
of c) must have type v{Tq T„_i — >• T'). 
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Term Contexts (F) 

A h 

Terms (t) 

Ar\- r{x)~- 
A-,r\- x:aT 0-. A! 

Z\; rh t : Ti ->■ T2 zl; Th ti : Ti Z\; T, a: : Ti h t : Ta 

Zi; r h t ti : T2 Z\; r h \x.t : Ti ->■ Ta 

A-FV- Z\,Z\i;rh ti : Ti Zi; T, r : VZii.Ti h ta : Ta 
A\F \- let a; = ti in ta : Tb 

Z\;ri- A,Ai-,F,x:yAi.T\-t-.T 

; ^ rr ; Zli — y A 

A-F\- f\x{Xx.t) : aT 

h c : VZic.To Tn A-F\- t2 :T ^T' 

v=U{T„,T) : Z\Z\c ^ A' A'-vFV- h : v{To T') 

A\F\- under c apply ti else ta : T — >■ T' 



ZV;ri- Zll-S" 
Zi; r, a; : S' h 



X ^ dom(_r) 



-VA'.T 

A 



h c : VZlc.T 
Z\;ri- c:crr 



a : Ac 



Fig. 4. Terms of the constructor calculus 



It is unusual for unifiers to appear in type derivation rules, as opposed to 
type inference. Further, the substitution in the premises does not appear in the 
conclusion and so type inference will have to backtrack to remove its effects from 
the final result (see Section 0 . 

Free and bound term variables are defined in the usual way. A term substi- 
tution (7 is a partial function from term variables to terms. If Z\ is a functor 
context and F and F' are term contexts then a : A; F A; FAi A; F and A; F' 
are well-formed and for each term variable a; in F we have Z\; F' \- ax \ F(x). A 
term is an equivalence class of raw terms under substitution for bound variables. 

Lemma 2. // A; F h J has a derivation and a : A; F A; F' is a term 
substitution then A; F' h aJ also has a derivation. 

Proof. By induction on the structure of the derivation of J. 

5 Evaluation 

The basic reduction rules are represented by the relation > in Figure 0 A re- 
duction t ^ t' is given by the application of a basic reduction to a sub-term. 
All of the reduction rules are standard except those for extensions. Reduction of 
extensions amounts to deciding whether to specialise or not. A term t cannot be 
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constructed by a constructor c if it is an explicit function, or is constructed by 
some constructor other than c. 



{\x.t2) h > t2{ti/x} 
let X = ti \n t2 > t2{ti/x} 

fix(Aa;.t) > {\x.t) f\x{Xx.t) 
under c apply / else g to c ti . . .t„ > f ti . . .tn 

under c apply / else g to t > g t if t cannot be constructed by c 



Fig. 5. Evaluation rules 



Theorem 3 (subject reduction). Reduction preserves typing. 

Proof. The only novel cases are in specialisation. Consider a reduction 

under c apply / else g to c to • ■ • tn-i > f to . ..tn-l 

and a type derivation for the left-hand side. Let c have type scheme \/Ac.Tq — ?> 
. . . — >■ Tn and g have derived type T — ?> T'. It follows that the argument 
c to ... tn-i must have type T and that T must be a{Tn) for some substi- 
tution a on Ac. Hence a factors through the most general unifier of and T 
by some substitution p. Hence / : a{To — ?> . . .Tn-i — ?> T') by Lemma 0 applied 
to p. Now the right-hand side of the reduction has type aT' which is T' as a 
only acts on Ac. 



Theorem 4. Reduction is Church- Rosser. 

Proof. The rules for specialisation can be viewed as a finite family of rules, 
one for each constructor c. Then all the reduction rules are left-linear and non- 
overlapping, so we can apply Klop’s general result [Kmn . 

6 Exceptions 

Any account of data types must address the issue of missing data. For example, 
taking the head of an empty list. In imperative languages this often results in 
a void pointer. In pointer-free languages like ML or Java such problems are ad- 
dressed by introducing exceptions. These flag problems during evaluation and 
may change the flow of control in ways that are difficult to specify and un- 
derstand. Exceptions may be caught and handled using any arguments to the 
exception as parameters. 
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Exceptions arise here when an extension is applied to an argument of the 
wrong form, either constructed by the wrong constructor or an explicit function. 
The solution is to add one more constructor 

exn : VX, Y.X Y 

which represents an exception that carries an argument. As exn is a constructor 
it can be handled using the extension mechanism without additional machinery. 
The only issue is that the exception may produce a function, rather than data. 
This would be bad programming style but can be handled by introducing one 
additional evaluation rule 

exn s t > exn s 

Rewriting is still confluent because the left-hand side is not a term constructed 
by exn as it is applied to two arguments, not one. 

7 Examples 

Let us begin with a generic equality relation. We can use C{P,P) to represent 
a type bool of booleans with true = ini intrU and false = inr intrU and let && 
be an infix form of conjunction, defined by nested extensions. In the generic 
test for equality it is not necessary that the arguments have the same type, 
though this will be the case if they are indeed equal. So the type for equality is 
X — )> y — )> bool. The program is given in Figure El Each pattern in the program 
corresponds to one extension. For example, 

I IntrE X — >■ under IntrE apply equal x else Ay. false 

represents under IntrE apply Ax. under IntrE apply equal x else Ay. false else while 
the final pattern of the form | _ — >■ f represents the default function Xx.t. 
Obviously, the algorithm is quite independent of the nature of the individual 
constructors, one of the reasons that equality can sometimes be treated by ad 
hoc methods. 

Before tackling more complex examples like mapping, we shall require a little 
more infrastructure. In particular, we shall require eliminators corresponding to 
the constructors. Happily, these can be defined by extensions. For example, 

ellmE == under IntrE apply \x.x else exn IntrE : PX — ?> X 

is the eliminator corresponding to IntrE. If applied to some IntrE t then it returns 
t. Otherwise an exception results. 

In general each constructor has eliminators corresponding to the number of 
its arguments. IntrU has no eliminator. Those for IntrE are given by 



elImFO = under IntrE apply Xx,y.x else exn (lntrF,0) : P{X,Y) — >■ PX 
elImFl = under IntrF apply Xx,y.y else exn (IntrF, 1) : P{X,Y) — >■ PY 
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(equal : X — >■ y — >■ bool) a = 
match z with 

intrU — >■ under intrU apply true else Aj/. false 
I intrE X — >■ under IntrE apply equal x else Aj/. false 

I IntrE xo xi — under IntrE apply Ai/o, t/i-(equal xo yo) && (equal xi yi) else 
Aj/. false 

I intrC X — >■ under intrC apply equal x else Ay. false 

I IntrA X — >■ under IntrA apply equal x else Ay. false 

I IntrB X — >■ under IntrB apply equal x else Ay. false 

I IntrK X — ^ under IntrK apply equal x else Ay. false 

I IntrL X — under IntrL apply equal x else Ay. false 

I IntrR X — ^ under IntrR apply equal x else Ay. false 

I IntrG X — >■ under IntrG apply equal x else Ay. false 

I IntrH X — >■ under IntrH apply equal x else Ay. false 

I intrl X — >■ under intrl apply equal x else Ay. false 
I _ — >■ \x, y. false 



Fig. 6. Defining equality by extension 



We can define the usual projections for pairs by fst = elimE.elimFO and snd = 
elimE.elimFl. If intrZ : T — >■ T' is any other constructor then its eliminator is 

elimZ = under intrZ apply \x.x else exn intrZ : T' ^ T. 

The algorithm for mapping is fairly complex. Recall that the type for mapping 
is 

map : Vrn.VF’ :: m ^ 1, X :: m, T :: m.P{X ^Y) ^ FX ^ FY 

If m is 1 and / : X — >■ T is an ordinary function then intrE / : P{X — >■ Y) 
is the corresponding one-tuple and map (IntrE /) has type FX — >■ FY. When 
applied to IntrE x then semantically the expected result is 

map (IntrE /) (IntrE x) = IntrE (/ x) 

as X is of the type to which / is to be applied, and then IntrE is applied to create 
a one-tuple, having the same structure as the original argument. 

If m is (toq, rrii) then we need a pair of functions fi : PXi — >■ PYi for i = 0,1. 
When applied to a term of the form IntrE xq X\ then Xi : PX^ and we get 

map (IntrE /o /i) (IntrE a;o xi) = intrE (map /o xq) (map fi xi). 

Note that it is necessary to map /g and fi across Xg and xi. Putting these two 
rules together for pairs yields 

map (/o,/i) (a;o,a;i) = (/o a;o,/i xi). 

The program in Figure 0 represents such semantic equations within exten- 
sions, but replaces the explicit structures given to the functions by the appropri- 
ate eliminators for tuples. Note how exceptions carry both the mapping function 
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and the argument as a pair. In particular, if z has evaluated to an exception then 
that is nested within the exception generated by the mapping. This gives detailed 
account of where the error has occurred which can be handled in sophisticated 
ways. We can customise map for any particular arity as in 

mapl / = map (intrE /) : {X ^ Y) ^ FX ^ FY 
map2 / g = map (/,g) : (Xq ^ Fq) ^ (^i ^ Fi) ^ F{Xo,Xi) ^ F(Fo,Fi). 



(map : P{X Y) ^ F X ^ F Y) f z = 
match z with 

intrE X — >■ intrE (elimE / x) 

I intrE X y ^ intrE (map (elimEO /) x) (map (elimEl /) y) 
I intrC X — ^ intrC (elimE / x) 

I intrA X — >■ intrA (elimEO / x) 

I intrB y — >■ intrB (elimEl / y) 

I intrK X — >■ intrK x 
I intrL X — >■ intrL (map (elimEO /) x) 

I intrR y — >■ intrR (map (elimEl /) y) 

I intrG X — >■ intrG (map (intrE (map /)) x) 

I intrH X — >■ intrH(map (map f, map /) x) 

I intrl X — >■ intrl (map (/, map /) a:) 

I _ — >■ exn (map /, «) 



Fig. 7. Definition of map 



Using map we can define the operation 

induct : VF :: 2 1, X :: 1, F :: 1.{F{X, F) ^ F) ^ (iJ-F)X Y 

associated with initial algebras for functors of kind 2 — ?> 1 by 

induct / = /.(map2 (Aa;.a;)(induct /)).eliml. 

This definition can be adapted to functors F :: (n, 1) —1 1 for any fixed n by 
replacing map2 (Xx.x) by map„ applied to n — 1 copies of the identity function. 

The most familiar example of foldleft takes a function / : X — >■ F — >■ X an 
X : X and a list [yo,yi,. , ?/„] and produces / (...(/ x r/o) •■ •) Un- In general 
we must consider a functor which takes more than one argument. For example, 
to fold over F{Yq,Yi) where Fg and Fi are types we need two functions Fi : 
X — >■ Fj — >■ X. These can be combined by case analysis to give a function 
X — >• Fg + Fi — 7> X. In general, we can let F :: n be a tuple of types and use 
a function X — >■ CY — >■ X. Hence the type of foldleft is as defined in Figure IS1 
When the data structure holds only one kind of data then we can employ 

foldleftl : (X ^ F ^ X) ^ X ^ FF ^ X 

defined by foldleftl / = foldleft {Xu,v. f u (elimC u)). 
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(foldleft : (X C(Y :: n) ^ X) ^ X ^ FY ^ X) x f y ^ 
match y with 

I intrE yo ^ f X (intrC yo) 

I intrF yo yi — >■ foldleft (Xu,v.f u (intrB v)) (foldleft (\u,v.f u (intrA v)) x yo) yi 
I intrC yo ^ f X (intrC yo) 

I intrA yo f X (intrA yo) 

I intrB yi ^ f X (intrB t/i) 

I intrK yo —>■ X 

I intrL yo foldleft (Am, ti./ u (intrA v)) x yo 

I intrR t/i — ^ foldleft {\u,v.f u (intrB m)) x y\ 

I intrG yo foldleft (Am, m. foldleft / u (elimC v)) x yo 

I intrH yo — >■ foldleft (Am. case ((foldleft / M).elimC) ((foldleft / M).elimC) x yo 

I intrl yo — >■ foldleft (Am. case (/ u) ((foldleft / M).elimC) x yo 
I _ — >■ exn (foldleft f,y) 



Fig. 8. Definition of foldleft 



8 Type Inference 

The use of polymorphic recursion and extension mean that not every term has 
a principal type. The issues for polymorphic recursion are already well explored, 
e.g. EESBI. When inferring a type for fix(Aa;.t) there are many choices of type 
scheme which could produce the necessary type. A similar problem arises with 
extensions. 

Theorem 5. Type inference is correct: if yV{A; F,t,T) = a : A ^ A' then 
A'; err h t : aT. 

Proof. 



9 Abstract Datatypes 

This section addresses the creation of types by users, such as the tree functor 
defined in Figure Q It is easy to introduce new functors and constants - the 
challenge is to support them in existing generic programs. For example, if we 
introduce new constants leaf and node for the user-defined trees then the generic 
mapping algorithm in Figure 0 will not be able to handle them. Of course, we 
could write new patterns for the new constants but this defeats the purpose of 
genericity. 

The solution begins with the observation that the user-defined functors are 
always isomorphic to existing “concrete” functors, e.g. tree is isomorphic to 
treec- The point of creating a new functor is to create a new, separate class of 
data structures distinguished from the others by their names. So we shall intro- 
duce a single new constructor called intrT whose arguments will be a name 
and a data structure, each of which can be handled in a uniform way. For 
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example, let leafc and nodcc be the concrete versions of leaf and node. Then 
tree.name : treCc — >■ tree is used to name trees so that we can define 

leaf = intrT tree_name leafc. 

intrT has type WF :: m — >■ 1, G :: m — >■ 1, X :: m. (F — >• G) — >■ {FX — >• GX). 
That is, it takes a natural transformation r : F ^ G (the name) to form a tag 
intrT r which when applied to a term t : FX produces a tagged term of type 
GX. 

Now all tags can be treated in a uniform way. For example, mapping over 
tagged terms is given by 

map / (intrT r t) = intrT r (map / t). 

10 Datum Types 



(plus : X ^ X ^ X) X y = 
match {x, y) with 

(int xo, int yo) — t int (plusprimint xo yo) 

I (float Xo, float yo) — > float (plusprimfloat xo yo) 

I (intrU, intrU) ->• intrU 
I (intrE xo,intrE yo) — t intrE.(plus xo yo) 

I (intrF Xo Xi, intrF yo yi) -t intrF (plus xo yo) (plus xi yi) 



Fig. 9. Generic addition 



11 Conclusions 

The constructor calculus with its functorial type system is able to define and type 
a wide range of generic functions. The type system is based on a class of functors 
which is similar to that of fml, but is supported by a system of polymorphic 
kinds that eliminates most of the need for explicit arities. Program extension is 
the truly novel contribution of the paper. It shows how generic programs can be 
incorporated within the typed lambda-calculus by giving a type derivation rule 
for extensions. Evaluation does not require type information, so there is no need 
for programmers to supply it except to aid the type inference mechanism, when 
defining complex functions. 

All of the ideas in this paper have been tested during development of the 
programming language FISh 2. In particular, all of the generic programs in the 
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paper have been created, type-checked and evaluated therein. The ability to cre- 
ate such new and powerful programs shows the expressive power of this addition 
to the typed lambda-calculus. 

The focus of this paper has been to demonstrate the expressive power of this 
approach in a purely functional setting. The successor to this paper will show 
how to add imperative features to the calculus so that we may define generic 
programs such as 

assign : VX.IocX X ^ comm 

where loc X represents a location for a value of type X and comm is a type 
of commands. In the process we will gain some insights into the optimisation 
techniques for reducing the execution overhead of generic programs, again based 
on our new understanding of constructors. 
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Abstract. We answer a question raised by Richard Statman (cf. [H|) 
concerning the simply typed A-calculus (having o as only ground type): 
Is it possible to generate from a finite set of combinators all the closed 
terms of a given type ? (By combinators we mean closed A-terms of any 
types). 

Let us call complexity of a A-term t the least number of distinct variables 
required for its writing up to a- equivalence. We prove here that a type T 
can be generated from a finite set of combinators iff there is a constant 
bounding the complexity of every closed normal A-term of type T. The 
types of rank ^ 2 and the types Ai — ^ {A 2 — ^ . . . {An —to)) such that for 
all i = 1, . . . , n: Ai — o, Ai — 0^0 or Ai = (o — >■ (o — >■ . . . (o—to))) —t o, 
are thus the only inhabited finitely generated types. 



1 Introduction 

We consider here the simply typed A-calculus d la Church whose only atomic 
type is o. Let us introduce some general notations and definitions about it, before 
going into our subject. 

Notation 1. A^^B and are the types inductively defined for all n gTN by: 
A°^B = B, A^+^-tB = A^{A^^B) and°A = A, ”+U = M-;>A. 

A type Ai— )> (A 2 — >■ . . . (An-^B)) will be more simply written: Ai, A 2 , . . . , A„— >-5. 

Definition 2. The rank rk{T) of any type T is inductively defined by: rk{o) = 0 
and rk{A^B) = max(r/c(A) -|- 1, rk{B)). 

Every A-term t will be considered up to a-equivalence and the relation t u 
will be denoted by: t = u. 

Notation 3. For any set C of X-terms, let [C] denote the set of X-terms built 
from those of C using applications only. 



Definition 4. We say that a set S of closed X-terms is finitely generated if 
there is a finite set C of typed closed X-terms such that every X-term of S is 
j3rj- equivalent to some X-term of [C]. 
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Definition 5. Let us say that a simple type A is finitely generated if the set 
of the elosed X-terms of type A is finitely generated aeeording to the previous 
definition. 

Our concern is the following question: What are the finitely generated types? 

This problem was first considered by R. Statman in where the type^o, o— 

was shown not to be finitely generated inside the typed Al-calculus and where 

the similar statement about typed AK-calculus was conjectured. We will give a 

proof of the latter (see Section 2 below), which is a key step of the present work. 

The type L = ^o, (o^ — ^ o) — >■ o was given as a first example of non finitely 

generated type in jS|. This example was established as follows: 

The type L allows the coding of the pure (i.e. type-free) closed A-terms. For every 

pure A-term t whose free variables are xi, . . . , Xk, let \t\ia be the A-term of type o 

2 2 

taking its free variables among I °,a° ,x°, . . . ,x1 and defined inductively by: 

\x\la = X° 

\t1t2\ia = \t1\ia\t2\ia ( 1 ) 

\Xx.t\ia = Xx°.\t\ia . 



Definition 6. If t is a pure closed X-term, then \t\°^ is a X-term having no free 
variable except I °,a° and the code oft is the closed normal term of type L.- 

\t=defXl^‘^a°"^°.\t\l . (2) 

Proposition 1. Given any type A for which there is at least one closed X-term 
t^, we can construct a closed X-term Decode'|^^^^°^~^"^ such that for any closed 
(3-normal X-term t^ (t being its underlying pure X-term): 

Decode^ (|t|*^[T/o]) . (3) 

Proof. Cf U (Lemma 3). □ 

From this proposition, it follows that if the type L had been finitely gener- 
ated, then every type A having closed A-terms would have been finitely 

generated. Indeed, if C is a set of closed A-terms generating L, then the set 
Ca = {t\T/o \ ; t G C}U{DecodeA} where T and Decode^ are as in Proposition E 
generates the type A. Moreover, as was proved in jSl, it could have been decided 
out of the computable sets Ca whether a point in a full type structure over 
a finite ground domain is A-definable or not. But this contradicts R. Loader’s 
famous undecidability result given in jOj, hence: 

Proposition 2. The type L = ^o, (o^ — >■ o) — > o is not finitely generated. 

Proof. Cf |S| (p. 3, Proposition 4). □ 

It was also noted in jS| that Proposition Scan be given the following equivalent 
form: 
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Proposition 3. For any set C of closed pure X-terms and any integer k, there 
is a closed pure normal X-term t having no combinatorial representation M G [C] 
that reduces to t in less than k developments. (Recall that a development of a 
X-term u is a [3-reduction sequence starting with u and in which only residuals 
of redexes in u are reduced, see e.g. m, Chapter 11.) 

Proof. Cf 0 (p. 4, Proposition 6). □ 

We will now consider the finite generation problem for any type A. Let us 
first remark that the question is of interest only if the type A has closed A- 
terms. One may easily check that every type is either a classical tautology or a 
formula equivalent to o, and that there are closed A-terms of the type A iff Al is a 
tautology (this would be obviously false if we were given several ground types) : 

Definition 7. Let us say that a type A is inhabited whenever the two following 
equivalent statments hold: 

■ There is at least one closed X-term of the type A, 

■ A is a classical tautology. 

It turns out of the present work that an inhabited type A is finitely generated 
iff rk{A) ^ 2 or Al is of the form Ai, . . . , An — >■ o, where for all* = 1, . . . , n: = o 

or Ai = (o^ — >■ o) — )> o for some fc G IN. The finitely generated types can also be 
given a nicer characterization as follows: 

Definition 8. Let us call complexity c(t) of a X-term t the least number of 
distinct variables required for its writing up to a- equivalence. 

Remark. If k is the maximal number of the free variables of a subterm of t, then 
k ^ c(t) ^ k -\- 1. Indeed, the first inequality is obvious from the definitions of 
its members, and c(t) ^ fc + 1 is easily checked by induction on t. 

Definition 9. Let us say that an inhabited type A has a bounded complexity if 
there is an integer k such that for any closed normal X-term t of type A: c(t) ^ k. 

We have then: 

Theorem 4. An inhabited type is finitely generated if and only if it has a 
bounded complexity. 

One way of this equivalence comes at once from: 

Proposition 5. For any inhabited type A and any integer k, the set SA,k of the 
closed (3-normal X-terms t of type A such that c(t) ^ k is finitely generated. 

Proof. According to Proposition ^ we only have to prove that, for any integer 
k, the set Ak = t is a pure closed A-term and c{t) < k} is finitely gener- 

ated. Indeed, if C is a finite set of closed typed A-terms generating Al^, then 
{Decode'J^^^^”^”*^"^} U {M[T/o \ ; M G C}, where Decode^ is as in ^ is a finite set 
generating SA,k- 
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Now, let X = {xq.xx, . . . ,Xk) and let be the set of the pure A-terms 
of complexity ^ k whose free variables are among x. According to the remark 
following Definition 0 every element of A* can be built from the variables x with 
the help of the functions App : — )> A*, ^ (1 ^ i < k) defined 

by: App(t, u) = tu, Li{t) = Xxi.t. Every element t of A| can be represented by 
the closed A-term of type >-L: 

p{t) = Xx‘l...xlf°a°^^°.\t\‘^^ , (4) 

where \t\°^ is defined by (P). Moreover, the set {p{t);t£A^} is generated by the 
finite set {p{xi)-,0^i^k} U {Cp, 0^i^k}U {App}, where: 

App= Xz° ^ ~^^Z 2 ^ ~^^Xxla.a{zixla){z 2 xla) , (5) 

£i = Xz° ^ Xxla.l(Xxi.zxla) , (6) 

since we have: Appp{t)p{u) =p p(App(t, u)) and Cip{t) =p p{Li{t)). At last, by 
applying the closed A-term: 

72.(° ^ {IXx.x) . . . {IXx.x) (7) 

' V ' 

k+l 

to every term p{t), we obtain its representation |t|^. A^ is therefore finitely 
generated. □ 

Hence, every type of bounded complexity is finitely generated, but the con- 
verse is not so easy to establish and the rest of this paper is actually devoted to 
a rather lengthy proof of it. Since there are finitely generated sets S such that 
the complexities c{t) of the terms t G S are not bounded by any constant k, any 
proof of the existence of such a constant in the particular case where S is also 
the set of the inhabitants of some type A should somehow take into account the 
latter hypothesis. This leads us here to discard the non suitable types A through 
a case study. It is nevertheless quite clear that further ideas for a direct proof of 
Theorem 21 are still missing. 

2 The Monster Type Is Not Finitely Generated 

The next step of our investigation is to prove that the type M = ^o, o — >■ o, 
nicknamed “Monster Type” by R. Statman, is not finitely generated. This was 
conjectured in 0 (example 5, p. 90). 



2.1 The Type P = ((o— >■ o) — >■ o) — >■ o, ((o— >■ o)^ — >■ o) — >■ o, o— >■ o 
One presents now a new coding of the pure closed A-terms into the type: 



Fyj = ^w,{(^w)'^ ^w)^w,w^w , where u>=(^o)^— >-o . 



( 8 ) 
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For any pure A-term t whose free variables are x\,. . . ,Xk, let be the A- 
term taking its free variables among . . . , and defined 

inductively by: 

\x']ia = 

[Axi];a = Ae’"./'^“’(Ax^“'.|'t]/oe) . 



Definition 10. If t is a pure closed X-term, then \t\iff is a X-term having no 
free variable but ~^w)^w code oft is the closed normal term of 

type Pu, •• 

rtf’" . (10) 

Lemma 6. There are closed X-terms 6°“^“, such that: °/ 2 ° =/ 3 r, fiU°, 

if s'" = iiU° (in other words, w behaves as the sum type: w = o (B o). 

Proof Take: = Xz° f[° .fiZ, i = l,2. □ 

Lemma 7. There are a closed X-term C and, for any pure variable x, a X- 
term V,f" whose only free variable is x° such that for any u° : 

C{liU°) =iSr, L2U° C{l 2U°) =/3r, i\U° (11) 

) — pTj X'x(^2'^ ) — /?77 ^2^ • ( 1 ^) 

Proof Take: C^'" = Xs'" f^° .sf 2 fi and = Xs'" f°.s{Xd°.fx°). □ 



Lemma 8. There are X-terms L^'" and no free variable but 

I °, a° , e° such that for any pure X-term t whose free variables are xi, . . . , x„; 



\f]ia[L/l,A/a,VooJx'^]l<^i<^n{l^lU°) =Pn ^-l\t\la 

rt]ia[L/t,^/a, 14i/f™]l^i^n(t2M°) =/3r; i 2 U° 



Proof. One shows that the A-terms L = Xc'" f ° .cVe{Xd° .f{l °(Ax°.cl 4 I °I °))), 
A = Ac('“’)'-^“/'°cl'“l'“(Ad°./(a°'^°(cC(Aci“.i2e°)l'°l'°)(cC'(Ad“'.tie°)l'°l'°))), 
where = Az^.z^, suit by induction on t. 
t = X. This case follows at once from JED- 



t = Xx.tp . Let = \to]ia[L/l,A/a,VxJx}"]i^i^n- By the induction hypo- 
thesis, we have: r[ 14 /x](tiM°) =fSr, ti|tolra> r[V;/x](iiit°) =/ 3 t, iiltole/a^Jlra and 
r\Vx ! x]{l 2U°) =f}ri T\Ve/ x\{i2U°) =/3y i'2U° (we may suppose that the variables 
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and x° are not free in u°). Then the A-term 6= \t]ia[L/l, A/a, VxJ 
= Ae'".L(Aa;^’".Te) is such that: 

9{Liu°)=f3 L{Xx 

=p A/'°.(Ax'-.r(riu°))F,(Ad°./(l'°(AxT(Ax'™.T(tiu°))'l4II))) 

=p A/'°.r[y,/x](ti«°)(Ad°./(z'°(Ax°.T[14/a:](/,iu°)II))) 

=/3r, Xf°xi\to[e/x]\/^{\d°J{f°{Xx°xi\to\/Jl))) (by ind. hyp.) 

=, A/;°/2°-G|to[e/a:]|?,(Ad°./i(/^°(Ax°.ti|tolran)))/2 
=/3 t) A/i°/ 2 °.(Ad°./i(f°(Ax°.I|to|°a)))|to[e/a;]|?a (by LemmaEJ 

6i(z'°(Ax°.I|to|?J) =/3 ti(z'°(Ax°.|to|rJ) = 

0{l2U°)=i3 L{Xx ^.t{l2U°)) 

=p Xf°XXx"'^.T{L2U-))Vx{Xd°J{f\Xx°.{Xx"'^.T{i2U-))Vxll))) 

=/3 Xf°.T[Vx/x]{i 2 U°){Xd°J{f°{Xx°.T[Vx/x]{i 2 U°)ll))) 

=f3v Xf°.L 2 U°{Xd°.f{f°{Xx°.L 2 U°ll))) (by ind. hyp.) 

=v Xfl°f 2 °-^ 2 U° (Ad°./i {f° iXx°.i 2 U°ll) ) ) f 2 

=l3r, A/i°/ 2 °./ 2 M° =/3 ^ 2 ^° (by Lemma 0 

t = tit 2 - Let = \ti]ia[L/l,A/a,VxJx'/^]i^j^ri, * = 1,2. By induction hy- 
pothesis: Ti{iiu°) =fjrj ii|tj|°a and Ti{i 2 U°) =f)rj ^ 2 U° for any u° {i = 1,2). Hence, 
one gets by Lemma 0 

Ti{C{t2{liU°))) =0n i2\t2\°ia Ti{t2{hU°)) = 

Ti(C{t2{l 2U°))) =0r, Ti{t2{l2U°)) =/3r, l^2U° . ^ 

Then, 9= \t\ia[L/l,A/a,VxJx'//"]i,^i^n = Ae’".H(Azi“'z 2 “’-H(zi(r 2 (z 2 e)))) is s.t.: 

9{liU°)=(} A{Xz/“ ,ti{zi{t2{z2{liu°))))) 

=(3 A/'°.Ti(r2(nw°))(A(i°./(a°''^°(ri(C'(r2(t2e)))II)(ri(C'(T2(tie)))II))) 

A/^foi|<i|l’,(Ad°./(a°^-°(ti|ti|l’JI)( 62 |t 2 |?JI))) 

=v A/;°/2°-G|ti|)(,(Ad°./i(a°^-°(ti|ti|^JI)(t2|t2|?JI)))/2 

=(3v A/i°/ 2 °-(^c^°-/i(a°"^°(I|ti|?a)(I|i 2 |L)))l^i|°a (by Lemma 0 

=/3 A/;°/2°-/l(a°'^1tl|?alfo|?a) =/? 

9{l2U°)=/3 H(Azi"'z2“’.Ti(zi(r2(z2(t2U°))))) 

=(3 A/'°.Ti(r 2 (t 2 'u°))(Ad°./(a°^^°(ri(C'(T 2 (t 2 e)))II)(n(C'(r 2 (tie)))II))) 

A/^fo2«°(Ad°./(a°'^“(ti|ti|rjI)(t2|t2|ran))) 

=, A/;y2°;fo^^°(Arf^/i(a°'^°(ti|tilrjI)(fo|fo|?JI)))/2 

=/3rj A/i°/ 2 °./ 2 U° =/s b 2 U° (by Lemma 0 

□ 



Proposition 9. There is a closed X-term 0 of the type Pu,— >-L such that for 
any closed pure X-term t: =prj 
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Proof. By Lemma|Hl there are terms whose free variables are 

I a° e° s.t. for any closed pure A-term t: \t~\ia[L/l, A/a]{Li€°) =jSn ti|t|°a- 
Moreover, since e° never occurs in one gets: \t~\ia[L' /I, A' /a]{LiE°) 

where E° = V = L[E° /e°], A' = A[E° le°]. Hence, one may choose 

the closed term: 0 = □ 



Proposition 10. Every closed \-term of type L is fir] -equivalent to a X-term of 
the form \t\^ for some closed pure X-term t. 

Proof. Cf 0 (Chapter 1, p. 11, Proposition 1.1). □ 

Proposition 11. The type P = ^o, ((^o)^— >-o)— >-o, o— >-o is not finitely generated. 

Proof. Suppose for a contradiction that the type P is finitely generated. The 
set ; t is a pure closed A-term} would be finitely generated since each of 

its elements is of the form: iF\w/o\. By adding the A-term 0 defined in Propo- 
sition 0 as a generator, the set ; t is a pure closed A-termj would then be 
also finitely generated. Therefore, according to Proposition m the type L itself 
would be finitely generated, but this contradicts Proposition 0 □ 

2.2 The Type M = (((o—>-o) —>-o) —>-o), o—>-o 

As remarked in | 3 | (Chapter 1, p. 27), the type M allows the coding of the closed 
pure A-terms such that in every subterm of the form tu, t is a variable. These 
/3-normal A-terms will be called small A-terms, more formally: 

Definition 11. The small X-terms are the pure X-terms inductively defined by: 

• any X-variable is a small term, 

■ if X is a variable and t a small term then xt is a small term, 

■ if t is a small term then Xx.t is a small term. 

Let a: I— >■ a: ° be an embedding of the set of pure A- variables into that of the 
A- variables of type ^o. For any small A-term t whose free variables are xi, . . . , Xk, 
let ||t||}g be the A-term taking its free variables among I ° ,e° ,xf , . . . ,xf and 
defined inductively by: 

Ml = 

M\\^e = ^'°\\t\\l ( 15 ) 

||Aa:.t||}, = f^’XxTWtWl . 

Definition 12. If t is a closed small X-term, then \t\l is a X-term having no 
free variable except I °,e° and the code oft is the normal closed term of type M.- 



\\tr=aefXf°eT\\t\\l . 



( 16 ) 
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Lemma 12. The set f is a small closed A-term} is not finitely generated. 

Proof. It may be checked that the underlying form t of every normal closed term 
t^ is a small A-term. Since we have moreover: Decodep^^^°^~*^'^(|t|’^[r/o]) t^, 

where Decodep is as in Proposition d it follows from Proposition El that the 
set {|t|’'"[T/o] ; t is a small closed A-term} cannot be finitely generated and we 
conclude at once. □ 

Proposition 13. There is a closed term ( 7 M[s/o]->l every small 

closed X-term t: C(||t||“’[S'/o]) 

Proof Let S = o, = \z° ff’ ftf.f^z and tf = Xfx ftf.f^- For any 

terms t°, u°, we then have: (tiu)tit2 =/3 t) t\u and L2tit2 =/3ri ^2 (S behaves as 

the sum type: o©_L). For any pure A- variable x, let = At;'^.ti(u(a°^“*'°a:°)a:°). 
At last, let = Au^'®.ii(/^°Acc°.r;Va;I(Z^°I)), where I = Xz°.z°. Note that the 
only free variables of £ are I ° and a° We will prove by induction on a small 
pure A-term t whose free variables are x±, . . . ,Xn (with possibly n = 0) that the 
term r = ||t||;e[>S'/o, C/l, 62/e, is / 3 -equivalent to 6i|t|/^: t = x. In this 

case: r = Va,62 =0 Li{b2{a°'^°x°)x°) =0 61 (x°) = 6i|t|/^. 

t = xtp . By induction hypothesis, r = Vx(||to||ie[*S'/o, £//, 62/e, =0 

Vx(6i|tor) =/3 Li{n\to\°{a°''^°x°)x°) =0 n{a°'^°x°\to\°) = 6i|t|/^. 
t = Ax. to- Let = ||to||ie[‘S'/o, £//, 62/e, Va,^/xji^i^„. By induction hypothesis, 
■6t'^[Va;/x '^] =0 6i|to|°) hence: r = {C)Xx^.u^ =0 6i(Z(Ax°.(Ax ‘®.66'^)Va;I(ZI))) =0 
6i(I(Ax°.6X^[V,/x]I(ZI))) =0 6i(/(Ax°(6i|to|°)I(«))) =/3 6i(/(Ax°I|to|°)) =/3 6i|t|°. 

In particular, we have for every small closed A-term t: ||t||®^[S'/o]£62l(tI) =/3 
||t||;e[5'/o, £/Z, 62/e]I(ZI) =0 6i|t|°I(/I) =0 I|t|° =0 \t\° . It follows that we may 
take: C = Xv^'^^/°^f°a°"^°.vCL2l{H). □ 



Proposition 14. The set {||t||^; t is a small closed A-termj is not finitely gen- 
erated. 

Proof. Indeed, otherwise the set {||t||“'[S'/o] ; t is a small closed A-termj would 
be finitely generated and by Proposition m {iii^ t is a small closed A-termj 
would then be also finitely generated, contradicting Lemma O □ 

Corollary 15. The type M = ^o, o— >0 is not finitely generated. 

3 Some Other Non Finitely Generated Types 
3.1 The Type L ' = ((0^0), 0^0), 0^0 

The type L ' allows also a coding of every pure closed A-term. For any pure 
A-term t whose free variables are xi, . . . ,x/c, let be the A-term of type o 
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taking its free variables among a e°, x°, ■ ■ ■ ,x1 and defined inductively by: 

[x\ae = 

L<lt2jL = [i2j'ae (17) 



Definition 13. If t is a pure closed X-term, then [tj^e ^ X-term having no 
free variable except a e° and the code oft in the type L' is the closed normal 

term: 



=defXa 



0,0— ^O O 



■[tL 



(18) 



Proposition 16. There is a closed term [S/ol-s-L that for all pure closed 
X-terms t: [S'/o]) =pri 

Sketched Proof. Let S, and tf be as in the proof of Proposition Cni i.e. 

such that: {iiu)tit 2 =/ 3 r] tiu, 62 ^ 1^2 =/ 3 rj t 2 (S behaves as the sum type: o©_L). 
Let ^ Xx"^y^.ci{y{Xd°.a°"^°{xL 2 l{ll)){yl{ll))){l^°{Xz°.x{i,iz°)I{lI)))). 

Note that the only free variables of A are I ° and a° We can prove by 
induction on a small pure A-term t whose free variables are Xi,...,Xn (with 
possibly n = 0 ) that the term \ t\'g^J^S / o, A/ a, i 2 / e, bix° / Xi]\^i^n is /3-equivalent 

In particular, if t is any small closed A-term then [t\^ [ 5 '/o]. 4 i 2 l(^I) =/3 \t\°^, 
so that we can take: C = .vAl21{IT). □ 

Hence, by Proposition 0 and the latter: 

Proposition 17. The type L' is not finitely generated. 



3.2 The Type L" = ((o— >■ o)^ — >■ o) — >■ o 

What has just been done for the type L' can be reproduced for the type L" = 
((^o)^ — >■ o) — o: For any pure A-term t whose free variables are xi, . . . ,Xk, let 
[t\" be the A-term of type o taking its free variables among x°, . . . ,x1 

and defined inductively by: 

[x\'f = x‘> 

[ht2\'l = a(^°)^-°(Ad°.LiiJ'a') (Ad°.N") (19) 

LAcc.tJ" = a^"°^"^°{XxT[t\”){XxTx°) . 



Definition 14. If t is a pure closed X-term, then [tj" is a X-term having no 
free variable except and the code oft in the type L" is the closed normal 

X-term: 



[tf =de/Aa('°)"^°.[tJ( 



( 20 ) 
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It can be checked at once that the closed A-term: 

C' = (21) 

satisfies for all pure closed terms t. . By composing C with 

the term C of Proposition E| we get a closed A-term C" s.t. for all closed t. 
hence by Propositions 0 and E3 

Proposition 18. The type L" is not finitely generated. 

3.3 The Type M' = (((o— >-o), o— >-o) — >-o) — >-o 

Let a: !-->■ X ° be an embedding of the set of pure A- variables into that of the 
A- variables of type f. For any small A-term t whose free variables are X\, . . . , Xk, 
let |[tJJ be the A-term taking its free variables among f ■ ■ ■ ,Tfe 

and defined inductively by: 

lxl[=xz° 

IxtI'i = xltl'i (22) 

IXx.tl'i = . 

Definition 15. If t is a closed small X-term, then [[tJJ is a X-term having no 
free variable except f o,o-^o)^o code of t in the type M' is the normal 

closed X-term: 

. (23) 

Proposition 19. There is a closed term such that for every small 

closed X-term t: Pi”- 

Sketched Proof. Let £Co,o^o)^o _ .xze). Note that the only 

free variables of C are I ° and e°. We can prove by induction on a small pure 
A-term t that the term |[tJ([£/Z, e°/ 2 ;°] is /3-equivalent to ||t||°g. 

In particular, if t is any small closed A-term, then z° is not free in It J ( ; hence 
we have |[tj^ C =p ||t||°g, and we can take: D = Ar;“ f°e°.vC. □ 

Hence, by Proposition FPII and the latter: 

Proposition 20. The type M' is not finitely generated. 

3.4 The Type M" = ((((o— o) —>■ o) —>■ o) —>■ o) —>■ o 

Let X I— >■ x^° be an embedding of the set of pure A-variables into that of the 
A- variables of type ^o. For any small A-term t whose free variables are xi, . . . , Xk, 
let |[tj" be the A-term taking its free variables among I °,x^, . . . ,Xj. and defined 
inductively by: 

[xj;' = xXz°.z° 

ixtr/ = xxdTitr/ 
ixx.tr/ = f‘^xxTitrf ■ 



(24) 
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Definition 16. If t is a closed small X-term, then |[tj" is a X-term having no 

4 

free variable except I ° and the code of t in the type M" is the normal closed 
X-term: 



W” =defXr.m[ 



(25) 



Proposition 21. There is a closed term such that for every small 

closed X-term t: Pll*- 

Sketched Proof. Let C*° = Xx^° .f°{Xz^° ,x{Xs^° .z{se°)). Note that the only free 
variables of C are I ° and e°. We can prove by induction on a small pure A- 
term t whose free variables are xi, . . . (with possibly n = 0) that the term 
\tY{[L/l,Xs'°.x°{se°)/x°]i^i^n is /3-equivalent to \\t\\f^. 

In particular, if t is any small closed A-term then |[tj“ £ =/? ||t||°g, so that 
we can take: D = Xv^” f°e° .vC. □ 

Hence, by Proposition El and the latter: 

Proposition 22. The type M" is not finitely generated. 

4 The Types of Unbounded Complexity Are Not Finitely 
Generated 

We will now reduce the case of every (inhabited) type of unbounded complexity 
to the previous ones (L , L', L", M , M', M") with the help of: 

Definition 17. Let ^ be the least (binary) reflexive and transitive relation on 
the set of types such that for any types A, B, C: 

A^B 'rp B , 

A,B^C ip B,A^C , (26) 

If A ip B, then A ip C^B and A^C ip B^C . 



Proposition 23. de’Liguoro, Piperno, Statman (1992, cf [2j, p. 464, 
Lemma 3.5) If we have A ip B for some types A, B, then there are (possibly 
open) X-terms , such that for all X-terms : 9{tu^) = 0 rj . 

This was actually proved in |2| for a relation > larger than defined in the 
same way but with the additional clause: (H— >-o)— t> A (for any type A). 

Corollary 24. If H, B are inhabited types such that A ip B and if A is finitely 
generated, then B is also finitely generated. 
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Indeed, if A = Ai, , Am — >■ o and B = Bi, . . . , Bn — >■ o are inhabited types 
such that A B, then there are A-terms = 0 ^^ Xx^xf^ ...x^.r° and 

Xx^Xi^ ...Xn'^.r'° s.t. for all u^\ 6{tu^) =/st] ■ Since A (resp. 

B) is inhabited, there is a term n° whose free variables are among x ^^ , ■ • ■ , 
(resp. among x ^^ , • ■ ■ , ); hence, we may replace every free variable of r (resp. 

of 0) with a A-term of the form Adi ■ • ■ dk.K° in order to get a closed A-term tq 
( resp. a closed A-term do)- Note that we have still for all u^: 0 q{tqu^) =isri ■ 
Now, for all closed u®, the closed A-term = tqu^ is s.t. 9ot^ = 0 ,^ u^; hence, 
if C is a finite set generating the type A, then the set C U {do} generates B. 

Recall that the signs of subtype occurrences in a type are inductively defined 
as follows: the only occurence of T in T is positive; if T yf R— >■ R, the positive 
(resp. negative) occurrences of T in R are the negative (resp. positive) 
occurrences of T in and the positive (resp. negative) occurrences of T in B. 

Definition 18. Statman (1980, cf | 7 ], P- 512) Wt say that a type is small 
if it has no negative occurrence of a subtype of the form A, B ^ C and large if 
it is not small. 



Proposition 25. If A is an inhabited large type of rank 3, then Ai^h, Aipf] 
orR^L". 

Proof. Since A is supposed to be large and of rank 3, we must have A = 
Aim ■ ■ ^ An o, with for some i,j\ rk{Ai) = 2 and Aj = B\, . ■ ■ ,Bm — >■ o, 
m ^ 2. 

— If * yf j, then Ai ^ fo and Aj ip ^o, hence Aiph. 

— If i = j, then Ai ip fo, o— >-o. 

— If Ai is inhabited, then n ^ 2, otherwise A would not be a classical 
tautology and would have no inhabitant; thus A)p\J . 

— If Ai is not inhabited, then for all 1 ^ fc ^ m, Bk is inhabited, Bk ip ^o; 
hence, Ai ip (fo)^— >-o and AiplI' . 

□ 



Proposition 26. If A is an inhabited type of rank ^ then A ip M, R ^ M' 
or A ip M". 

Proof. Suppose that A = A\m . . ,An^o is an inhabited type of rank ^ 4. 

— If n ^ 2, then A )>= M. 

— If n = I, let Ai = Bi, . ■ ■ , Bm —io,i s.t. rk{Bi) ^ 2, Bi = Ci, . . . , — >■ o 

and j s.t. rk{Cj) ^ 1. Since A is inhabited, Bi must be a classical tautology 
i.e. an inhabited type. 

— If Cj is inhabited, then we must have k ^ 2, since Bi is inhabited. 

Therefore, Bi ip fo, o— >-o and A ip M'. 

— If Cj is not inhabited, then rk(Cj) ^ 2 and A ip M". 

□ 
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Proposition 27. If an inhabited type A has not a hounded eomplexity, then at 
least one of the following relations holds: A ]L, A L', A L", A ip M, 
AipM', A)p M". 

Proof. Let A = Ai, . . . , A„ — >■ o be any inhabited type of unbounded complexity. 
If rk{A) ^ 4, then we have from Proposition]^ A ^ M, A ^ M' or A M". 
If rk{A) < 3, let t = Xxf^ . . . .r° be a closed normal A-term of type A 

with complexity c{t) ^ n + 2. There must be at least one Ai {1 ^ i ^ n) of 
rank > 1, otherwise r° could not contain any abstraction and consequently could 
not have other variable occurrences than those of a;f \ , x^"- . Moreover, since 

rk{A) ^ 3, all the bounded variables of t° have the type o, and some Ai must 
then be of the form B,C ^ D, otherwise t° would necessarily have the form: 
Xi^{XziXi^{Xz 2 ■ ■ ■ Xi^^{Xzk-z°))) and we would have: c{t) < n+1. A is therefore a 
large type of rank 3 and we get by Proposition ESI A )p 1^, A )p \J or A )p 'Ll' . □ 

Proof of Theorem^ Let A be any inhabited type. 

If A has a bounded complexity, then A is finitely generated by Proposition |S1 
If A has not a bounded complexity, then according to Propositions E3 ^ 
m Em and Em there is a non finitely generated type B {B = L,L',L", M,M' 
or M") such that A )p B. It follows from Corollary ^]that A is not finitely 
generated. □ 
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Abstract. We show that the monadic second-order theory of any in- 
finite tree generated by a higher-order grammar of level 2 subject to a 
certain syntactic restriction is decidable. By this we extend the result 
of Courcelle that the MSO theory of a tree generated by a grammar 
of level 1 (algebraic) is decidable. To this end, we develop a technique 
of representing infinite trees by infinite A-terms, in such a way that the 
MSO theory of a tree can be interpreted in the MSO theory of a A-term. 



Introduction 

In 1969, Rabin proved decidability of the monadic second-order (MSO) 
theory of the full n-ary tree, which is perhaps one of the most widely applied 
decidability results. There are several ways in which Rabin’s Tree Theorem can 
be extended. One possibility is to consider a more general class of structures 
obtained in tree-like manner, i.e., by unwinding some initial structure. The de- 
cidability of the MSO theory of the unwound structure then relies on the decid- 
ability of the MSO theory of the initial structure, and the “regularity” of the 
unwinding process (see jl tij ) . Another direction, which we will pursue here, is 
to remain with trees but consider more sophisticated modes of generation than 
unwinding. 

To this end, it is convenient to rephrase Rabin’s Tree Theorem for labeled 
trees, as follows: The MSO theory of any regular tree is decidable. Here, a la- 
beled tree is seen as a logical structure with additional monadic predicates cor- 
responding to the labels, and a tree is regular if it has only a finite number of 
non-isomorphic subtrees. An equivalent definition of regularity says that a tree 
is generated by a (deterministic) regular tree grammar, which gives rise to fur- 
ther generalizations. Indeed, Courcelle [01 proved that the MSO theory of any 
tree generated by an algebraic (or, context-free) tree grammar is also decidable. 
However nothing general is known about the MSO theories of trees generated 
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by higher order grammars, although the expressive power of such grammars was 
extensively studied by Damm 0 in the early eighties. This is the question we 
address in the present paper. 

It is plausible to think that any tree generated by a higher-order grammar 
(see Section 0 below) has decidable MSO theory, this however is only a conjec- 
ture. At present, we are able to show decidability of the MSO theory of trees 
generated by grammars of level 2 satisfying some additional condition restricting 
occurrences of individual parameters in scope of functional ones. This however 
properly extends the aforementioned result of Courcelle p]. 

Our method makes use of the idea of the infinitary X-calculus , already con- 
sidered by several authors Here we view infinite A-terms as infinite trees 
additionally equipped with edges from bound variables to their binders. In course 
of a possibly infinite sequence of /3-reductions, these additional edges may disap- 
pear, and the result is a tree consisting of constant symbols only. We show that 
the MSO theory of the resulting tree can be reduced to the MSO theory of the 
original A-term, viewed as an appropriate logical structure (Theorem El below) . 
Let us stress that the reduction is not a mere interpretation (which seems to be 
hardly possible). Instead, we use the ^-calculus as an intermediate logic, and 
an intermediate structure obtained by folding the tree. In order to interpret the 
MSO theory of the folded tree in the MSO theory of the A-term, we use tech- 
niques similar to Caucal |^, combined with an idea originated from Geometry 
of Interaction and the theory of optimal reductions. Namely, we consider defor- 
mations of regular paths in A-terms and push-down store computations along 
these paths. 

The motivation behind the of MSO theories is that the MSO theory of a A- 
term should be easier to establish than that of the tree after reduction. This is 
indeed the case of grammars satisfying our restriction. More specifically, for each 
such grammar, we are able to construct an infinite A-term which is essentially 
an algebraic tree, and whose result of /3-reduction is precisely the tree generated 
by the grammar. Hence, by the aforementioned Courcelle’s theorem, we get our 
decidability result (Theorem 0 below) . 

Let us mention that the interest in deciding formal theories of finitely pre- 
sentable infinite structures has grown among the verification community during 
last decade (see, e.g., 1 1 I j and references therein). In particular, a problem re- 
lated to ours was addressed by H. Hungar, who studied graphs generated by 
some specific higher-order graph grammars. He showed jSI decidability of the 
monadic second-order theory (SIS) of paths of such graphs (not the full MSO 
theory of graphs). 

1 Preliminaries 

Types. We consider a set of types T constructed from a unique basic type 0. 
That is 0 is a type and, if ti,T 2 are types, so is (ti — >■ T 2 ) G T. The operator 
— >■ is assumed to associate to the right. Note that each type is of the form 
Ti —>■ 0, for some n >0. A type 0 — >■ • • • — ?> 0 with n -I- 1 occurrences 

of 0 is also written 0" — t> 0. The level £{t) of a type r is defined by £{ti — >• T 2 ) = 
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max(l + £{ti) , £{t 2 )) , and ^(0) = 0. Thus 0 is the only type of level 0 and each 
type of level 1 is of the form 0” — >• 0 for some n > 0. A type ti r„ —>■ 0 

is homogeneous (where n > 0) if each is homogeneous and (.{ti) > £{t 2 ) > 

. . . > £(r„). For example ((0 — >• 0) — 0) — (0 — >• 0) — >• (0 — >• 0 — >■ 0) — >• 0 — 0 
is homogeneous, but 0—^ (0— >0) — >-0is not. 

Higher-order terms. A typed alphabet is a set F of symbols with types in T. 
Thus r can be also presented as a T-indexed family {JV}tsT) where TV is the 
set of all symbols of F of type r. We let the type level £{F) of F be the supremum 
of ^(t), such that TV is nonempty. A signature is a typed alphabet of level 1. 

Given a typed alphabet F, the set T{F) = {T(F)T-},-gT of applicative terms 
is defined inductively, by 

(1) Ft C T{F)t] (2) if t G T{F)t^^t 2 and s G F{F)t^ then (ts) G {F)^^. 

Note that each applicative term can be presented in a form Zt\ . . .tn, where 
n > 0, Z G F, and t\, . . . ,tn are applicative terms. We say that a term t G 
T{F)r is of type t, which we also write t:r. We adopt the usual notational 
convention that application associates to the left, i.e. we write toG ■ ■ - tn instead 
of (•••((toG)^ 2 )---)fn- 

Trees. The free monoid generated by a set X is written X* and the empty 
word is written e. The length of word w G X* is denoted by licl. A tree is any 
nonempty prefix-closed subset T of X* (with £ considered as the root). If t6 G T, 
X € X, and ux G T then ux is an immediate successor of u in T. For w G T, the 
set T.w = {w G X* : wv G T} is the subtree of T induced by w. Note that T.w 
is also a tree, and T.s = T. 

Now let A be a signature and let T C oj*, where to is the set of natural 
numbers, be a tree. A mapping t:T — >■ A is called a X-tree provided that if 
f(w) :0'= ^ 0 then w has exactly k immediate successors which are rul, . . . , wk 
(hence ru is a leaf whenever t{w) : 0). The set of A-trees is written T (A). 

If t: r — >■ A is a A-tree, then T is called the domain of t and denoted by 
T = Bom t. For v G Bom t, the subtree of t induced by u is a A-tree t.v such that 
Bom t.v = (Bom t).v, and t.v{w) = t(vw), for w G Bom t.v. It is convenient 
to organize the set T (A) into an algebra over the signature A, where for each 
/ G Ao"_>o, the operation associated with / sends an n-tuple of trees G, . . . , 
onto the unique tree t such that t{e) = f and t.i = ti, for i G [n]. (The notation 
[n] abbreviates {!,..., n}). Finite trees in T (A) can be also identified with 
applicative terms of type 0 over the alphabet A in the usual manner. 

We introduce a concept of limit. For a A-tree t, let t\n be its truncation to 
the level n, i.e., the restriction of the function t to the set {w G Bom t : |rc| < n}. 
Suppose to, ti, ... is a, sequence of A-trees such that, for all k, there is an m, say 
m{k), such that, for all n,n' > m{k), tn\k = (This is a Cauchy condition 

in a suitable metric space of trees.) Then the limit of the sequence in symbols 
limt„, is a A-tree t which is the set-theoretical union of the functions t„fm(n) 
(understanding a function as a set of pairs) . 

Types as trees. Types in T can be identified with finite (unlabeled) binary trees. 
More specifically, we use the set of directions {p, q}, and let tree{ri — >■ T 2 ) be the 
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unique tree such that tree{T\ — >■ T 2 ).p = tree(ri), tree{ri — >■ T 2 ).q = tree(r 2 ) and 
tree(O) = {e}. In the sequel we will not make notational distinction between r 
and tree(r). 

Monadic second-order logic. Let i? be a relational vocabulary , i.e., a set of rela- 
tional symbols, each r in i? given with an arity p{r) > 0. The formulas of monadic 
second order (MSO) logic over vocabulary R use two kinds of variables : indi- 
vidual variables and set variables Xq,Xi,.... Atomic formulas are 

Xi = Xj, , . . . , and Xi(xj). The other formulas are built using propo- 

sitional connectives V,-i, and the quantifier 3 ranging over both kinds of vari- 
ables. (The connectives A,=^, etc., as well as the quantifier V are introduced in 
the usual way as abbreviations.) A formula without free variables is called a sen- 
tence. Formulas are interpreted in relational structures over the vocabulary R, 
which we usually present by A = (A, {r'^ : r G R}), where A is the universe 
of A, and r-^ C is a /o(r)-ary relation on A. A valuation is a mapping v 

from the set of variables (of both kinds), such that v{xi) G A, and v{Xi) C A. 
The satisfaction of a formula in A under the valuation v, in symbols A,v \= tp 
is defined by induction on cp in the usual manner. The monadic second-order 
theory of A is the set of all MSO sentences satisfied in A. 

Let A be a signature and suppose that the maximum of the arities of sym- 
bols in A exists and equals m^. A tree t G T (A) can be viewed as a logical 
structure t, over the vocabulary Rs = {p f ■ f G X} U {di : 1 < i < ms}, with 
p{Pf) = and p{di) = 2: 

t = (Domt, {p* : / € A} U {d} : 1 < i < ms}). 

The universe of t is the domain of t, and the predicate symbols are interpreted 
by p* = {w G Domt : t{w) = /}, for f G S, and d) = {{w,wi) : wi G Domt}, 
for 1 < i < ms . We refer the reader to m for a survey of the results on monadic 
second-order theory of trees. 

2 Infinitary A— Calculus 

We will identify infinite A-terms with certain infinite trees. More specifically, we 
fix a finite signature A and let A-*- = AU{T}, where T is a fresh symbol of type 0 . 
All our finite and infinite terms, called X-trees are simply 
typed and may involve constants from A"*", and variables 
from a fixed countably infinite set. In fact, we only consider 
A-trees of types of level at most 1. 

Let A° be an infinite alphabet of level 1, consisting of 
a binary function symbol @, all symbols from as indi- 
vidual constants, regardless of their actual types, infinitely 
many individual variables as individual constants, unary 
function symbols Xx for all variables x. The set of all X-trees (over a signa- 
ture A) is the greatest set of A°-trees, given together with their types, such 
that the following conditions hold. 



@ Xx 




M N M 



Fig. 1. Application 
and abstraction 
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• Each variable a; is a A-tree of type 0. 

• Each function symbol / £ Af-*- of type r is a A-tree of type r. 

• Otherwise each A-tree is of type of level at most 1 and is either an application 
(MN) or an abstraction (Ax.M) (see Fig.^). 

• If a A-tree P of type r is an application (MN) then M is a A-tree of type 
0 — >• r, and N is a, A-tree of type 0 . 

• If a A-tree P of type r has the form {Xx.M), then r = 0 — >■ cr, and M is a 
A-tree of type a. 

Strictly speaking, the above is a co-inductive definition of the two-argument 
relation “M is a A-tree of type r” . Formally, a A-tree can be presented as a pair 
(M, r), where M is a Z'°-tree, and t is its type satisfying the conditions above. 
Whenever we talk about a “A-tree” we actually mean a A-tree together with its 
type. 

Let M be a A-tree and let a; be a variable. Each node of M labeled x is 
called an occurrence of x in M . An occurrence of x is bound (resp. free), iff it 
has an (resp. no) ancestor labeled Xx. The binder of this occurrence of x is the 
closest of all such ancestors Xx. A variable x is free in a A-tree M iff it has a 
free occurrence in M. The (possibly infinite) set of all free variables of M will 
be denoted by FV{M). A A-tree M with FV{M) = 0 is called closed. 

Definition 1. We call a A-tree M boundedly typed if the set of types of all 
subterms of M is finite. 

Clearly, ordinary A-terms can be seen as a special case of A- 
trees, and the notion of a free variable in a A-tree generalizes 
the notion of a free variable in a A-term. The n-th approximant 
of a A-tree M, denoted M\n is defined by induction as follows: 

• M\0 = T, for all M; • (MA^)((n+l) = (M\n){N\n) 

• {Xx.M)\{n+l) = Xx{M\n) 

That is, the n-th approximant is obtained by replacing all subtrees rooted at 
depth n by the constant T. 

We denote by M[x := A^] the result of substitution of all free occurrences of 
a: in M by N. The definition of the substitution of A-trees is similar to that for 
ordinary A-terms. (An a-conversion of some subterms of M may be necessary 
in order to avoid the capture of free variables of TV.) 

A redex in a A-tree M is a subtree of the form {Xx.P)Q. The contractum of 
such a redex is of course P\x := Q]. We write M N iS N is obtained from M 
by replacing a redex by its contractum. Note that infinite A-trees, even simply 
typed, may have infinite reduction sequences, due to infinitely many redexes. 

2.1 Paths in A Graphs 

To each A-tree M, we associate a X-graph G{M). Some edges of G{M) are 
oriented and labeled either p or q. Other edges are non-oriented and unlabeled. 
To construct G{M) we start with M where (for technical reasons) we add an 
additional node labeled “c” above each application, i.e., above any @-node. 



258 



T. Knapik, D. Niwinski, and P. Urzyczyn 



(We refer to a node labeled by a symbol tr as to a cr-node.) We add an edge, 
oriented downward and labeled q from each c-node to the corresponding @- 
node. We also add an edge oriented upward and labeled p, form each bound 
occurrence of a variable to its binder. Since the a- 
equi valent A-trees may be identified, without loss of in- 
formation, we can replace all labels Xx just by “A” and all 
bound occurrences of variables by a uniform label “u” . In 
addition we assign labels and orientation to the follow- 
ing existing edges. Each edge connecting the argument 
of an application with the corresponding @-node is la- 
beled p and oriented upward. Each edge connecting the 
body of an abstraction with the corresponding A-node is Fig. 2. Labeled appli- 
labeled q and oriented upward. Different cases of nodes cation and abstraction 
and edges of G{M) are depicted on Fig. 0 

Each subterm N of M corresponds in an obvious way to a subgraph of G{M), 
which will be denoted G{N). Observe that nodes corresponding to free variables 
of N are connected to A-nodes outside of G{N), and these connecting edges are 
not part of G{N). Each of these graphs G{N) has a distinguished entry node 
(drawn at the top) . The entry node of an abstraction is the appropriate A-node, 
the entry node of an application is the additional c-node (not the @-node) and 
the entry node of a variable is the u-node itself. If confusion does not arise, we 
will write a := a at to mean that a is an entry node of a subterm N in M. Note 
that each node in G{M), except for ©-nodes, is an entry node of G{N), for some 
subterm N of M. 

Following the ideas of the Geometry of Interaction, see we will now 

consider paths in A-graphs. A sequence of adjacent edges in a A-graph (possibly 
including the extra arcs from variable nodes to their binders), is called a straight 
path provided there is no backtracking, i.e., no edge is taken twice in a row and 
two edges connecting two different variable nodes with a A-node which is their 
common binder may not directly follow one another. From now on by a path we 
always mean a straight path. Note that a path can pass an oriented edge forward 
(obeying the orientation) or backward (against the orientation). 

Following in!> we will now consider a certain stateless pushdown automa- 
ton V walking on paths in a A-graph. Informally, V moves along edges of a 
path n, and each time it traverses a labeled edge forward or backward, a push- 
down store (pds, for short) operation is performed (no pds operation if there is 
no label). Whenever we follow an arrow labeled p, we push p on the pds, and 
in order to traverse such an arrow backward, we must pop p from the pds. We 
proceed in an analogous way when we use edges labeled by q, forward or back- 
ward. In particular, in order to take a p-arrow backward, the top of the pds 
must be p, and similarly for q. This can be described more formally, considering 
that P works with the input alphabet {pf,pi, qt: 94-J} (I for a nonlabeled edge). 
A configuration of P is defined as a pair of the form (a, w) consisting of a node a 
and a word w representing the pds contents (top at the left). Note that once the 
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path n is fixed, the behaviour of V is fully determined by the initial contents of 
the pds. 

An important property of V is that the contents of the pds in a configuration 
(a, w) may contain some information about the type of the subterm N whose 
entry node is a (i.e., a = un)- Note that, according to our representation of 
types as trees, the subtree t.w of a type r is again a type. 

Lemma 1. Assume that V can move from {a^jw) to {ap,v) , and that N : t and 
P : a. Suppose that t.w is defined. Then a.v is defined and t.w = a.v. Similarly, 
if a.v is defined then so is t.w and the equality holds. 

In other words, the pds of V can be seen as a pointer to a certain subtype of 
the type of currently visited node. A crucial consequence of this fact is that 
if our A-tree is boundedly typed (see Definition QJ) then V can essentially be 
replaced by a finite automaton, if we only consider computations beginning with 
configurations w), such that t.w is defined, where r is the type of N. Indeed, 
by Lemma n the type pointed to by the pds during the whole computation is 
t' = T.w. Now, if there are altogether only finitely many types in use, the type t' 
can occur in all these types in a finite number of positions only. This means that 
there is only a finite number of possible values of the pds (uniformly bounded 
for a boundedly typed A-term). Then we can convert the pds contents of V 
into states of a finite automaton. Thus we can compare computations of both 
automata in an obvious way. 

We summarize above considerations in the following. 

Proposition 1. Suppose a A-tree M is boundedly typed. There is a determin- 
istic finite automaton A whose set of states is a subset of {p,q}*, and whose 
computations along paths in G{M) coincide with the computations ofV. When- 
ever V can traverse a path in G{M), A can do it as well. 

It will now be convenient to define a computation path (of V) more formally. 
A computation path II in a, A-graph M is a finite or infinite sequence of con- 
figurations (oo) Wo), {ai,w\), . . ., such that the corresponding sequence of edges 
(oq, oi), (oi, 02 )) ■ • ■ forms a straight path (if 77 is infinite, we mean that each 
initial segment is straight), and Wq,Wi, . . . are consecutive contents of the pds in 
7^’s computation along this path. Note that we allow a trivial computation path 
consisting of a single configuration (ao,wo) (no edges). A computation path is 
maximal if it is infinite or finite but cannot be extended to a longer computation 
path. 

Now suppose a computation path 77 ends in a configuration (aN,w). If 77 
is nontrivial, there are two ways in which 77 may reach the last configuration: 
It either comes from outside of G{N) (i.e., the last but one node is not in 
G{N)) or from inside of G{N). We will call 77 South- oriented in the first case, 
and North-oriented in the second (as 77 comes “from above” or “from below”, 
respectively). If 77 is trivial, and hence consists only of {aN,w), we will qualify 
it as South-oriented if N is an application or a signature symbol of arity 0, and 
North-oriented if TV is a signature symbol of arity > 0 (we do not care for other 
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cases). Now, let N:t. We will say that U is properly ending if the type t.w is 
defined and equals 0, and moreover 

• if 77 is South-oriented then w = q^, for some n > 0, 

• if 77 is North-oriented then w = q'^p, for some n > 0. 

We are ready to state a lemma that will be crucial for further applications 
(see m for a proof). 

Lemma 2. Let M be a closed X-tree of type 0. 

(1) There is exactly one maximal computation path 77 starting from configura- 
tion (aM,£)- If n is finite then it must end in a configuration {ag,q^), for 
some signature symbol g of arity n. 

(2) Let a = aj, be a node of M , where f is a signature symbol of arity k > 0, and 
let i € [k]. There is exactly one maximal computation path LI starting from 
configuration (af,q'^~^p). If II is finite then it must end in a configuration 
{ag,q^)j for some signature symbol g of arity n. 

2.2 Derived Trees 

An infinite tree in T (A-’-) can be viewed as an infinite A-term in a natural way 
if we read /(ti, . . ■ , tfc) as the nested application (. . . ((/ti)t 2 ) ■ ■ - tk)- 

Conversely, we will show a method to derive a tree in T (A7"’~) from a closed 
boundedly typed A-tree M of type 0. Intuitively, this will be a tree to which 
M eventually evaluates, after performing all /3-reductions. However, not all 
branches of reduction need converge, and therefore we will sometimes put _L 
instead of a signature symbol. 

A tree Im- T>oin tM A/-*- will be defined along with a partial mapping Im 
from DoTatM to G{M) in such a way that the label of Im{w) in G{M) coincides 
with tM{w)- More specifically, the domain of Im will be Dom+tM = {rc G 
DoTatM '■ tM^w) yf _L}. At first, consider the maximal computation path IT 
in G{M) starting from {aM,^) (cf. Lemma 0. If it is infinite, we let Im = -L 
and Im = 0- Otherwise, again by Lemma 0 77 ends in a node labeled by a 
signature symbol. We call this node the source of M and denote it by sm- We 
let 7 m: e >■ sm, and tM{s) = /, where / is the label of sm- Now suppose Im 
and tM are defined for a node w, and tM{w) = Im{w) = ct = ag, where g is 
a signature symbol of arity k. For each i = 1, . . . , fc, we consider the maximal 
computation path Ll^ in G{M) starting from (a, g®“^p). By LemmaEl the path 
Tli is well defined, and if it is finite, the last node, say a^, is labeled by a signature 
symbol, say gi. Then we define tM and (possibly) 7 m for the k successors of w, 
by tM{wi) = gi and iM^wi) = ai, if 77^ is finite, and tM^wi) = _L, otherwise. 

For Sect. El we also need an extension l’^ of Im defined on the whole Dom t. 
Without loss of generality, we can assume that the root e of G{M) is not labeled 
by a signature symbolQ We let Im(w) = Im{w) if Im{w) is defined and Im(w) = 
e otherwise. 

^ Otherwise G{M) consists of a single node labeled by a constant, and all the results 
in the sequel become trivial. We choose e for concreteness, bnt any other node not 
in 7 m (T om + tM) could be used instead. 
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2.3 Beta Reduction 

We will now examine how a /3-reduction step applied to a A-tree M may affect a 
path n in G{M). Suppose Mi is obtained from M by a /3-reduction replacing a 
redex {Xy.A)B by A[y := B], In order to transform G{M) into G{M\) one finds 
out all the variable nodes bound by the A-node at the top of G{Xy.A). Then 
the subgraph G{{Xy.A)B) is replaced by G{A) where all such variable nodes are 
replaced by copies of the whole graph G{B). We consider only the case when y 




Fig. 3. 

is free in A, the other case is easier and left to the reader. Fig. 3(a) presents a 
redex, and Fig. 3(b) shows its contractum. Consider a weakly regular path ili 
in Ml. We define a path B in M as follows: 



• Outside of the redex the path is unchanged. 

• The same for portions of the path within G{A[y := B]) but outside of G{B). 

• Each copy of G{B) in G{A[y := B]) is represented in the redex by the single 
argument G{B). Every portion of the path ili that goes through any of the 
multiple G{B)’s in G{A[y B]) is replaced by an identical portion going 
through G{B) in the redex. 

• Whenever Ui enters G{A\y := B]) through its top node, the path 77 enters 
G{{Xy.A)B) through its top node (a g-arrow), then goes to G{Xy.A) and 
takes the g-arrow backward to enter G{A). (Note that there is no other 
choice.) 

• Whenever 77i enters G{B) through its top node the path 77 reaches a w-node 
within G{A). Then it must go to the argument G{B), traversing p and then 
p backward. 

• Whenever 7Ti enters or leaves G{A[y := 73]) through a variable (i.e., via an 
edge between a variable node to its binder), the path 77 enters or leaves the 
redex through the corresponding variable. (Note that no variable free in 73 
can be bound in A[y := 73].) 
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In this case we say that 77i is a deformation of II. 

Suppose now that M N. Then every node [3 of G{N) may be seen as 
obtained from a node a of G{M). We say that j3 is an offset of a. This notion 
should be obvious up to one specific point: the entry node to a contractum of 
a redex (the entry to G{A) at Fig.|3(b)|) should be considered an offset of the 



entry node of the body of the abstraction (the entry to G{A) at Fig. 3(a) ) and 
not of the entry node of the redex or of the abstraction. 

In this way we can say that a node oi G{M) may have one or more offsets or 
no offset at all, but each node of G{N) is an offset of exactly one node of G{M). 
In addition, a variable or constant may only be an offset of an identical variable 
or constant. It should be obvious that the type associated to a node and to its 
offset must be the same. 

Let a path ili in G{N) from node /3i to node /?2 be a deformation of a path 
n in G{M). Let ai and 02 be respectively the initial and final nodes of II. Then 
of course (3i and P 2 are respectively offsets of ai and 02 - 



Proposition 2. Let M and N be closed X-trees of level 0, and let tM o-nd tjv 
he the respective derived trees. If M N then tM = t^- 



Proof. Consider the inductive construction of the tree tN, as described in Sec- 
tion It may be readily established that each computation path in G{N) used 
in this construction is a deformation of a computation path in G{M). If the for- 
mer is infinite, the latter must be infinite too. If the former reaches a signature 
symbol /, so must the latter, because a/ must be an offset of a/. Hence the 
result follows by induction on the levels of the tree tN- FI 



3 Moving between MSO Theories 

Let M be a closed boundedly typed A-tree of level 0. We are going to show that 
the MSO theory of the derived tree tM can be interpreted in the MSO theory 
of G{M), viewed as a specific logical structure Gm defined below. We shall 
see that both structures are bisimilar in the usual process-theoretic sense (see 
e.g. Definition 6.3.10 of Q). By composing several well-known facts about the 
propositional modal ^-calculus (see e.g. dni), we can establish the following. 

Proposition 3. There is a recursive mapping p of MSO sentences such that for 
every MSO sentence ip, every tree t G T {S) and every countable structure A 
which is bisimilar to t, the following holds: t ^ A |= p{<p). 

We define E* := E U {@, A, c, u}, where the symbol @ is binary, A and c are 
unary, and v, as well as all symbols from E are 0-ary. Recall that G{M) is a 
tree over E* additionally equipped with the edges from u-nodes to their binders 
(A-nodes). Let us denote the domain of G{M) by W. We consider the structure 
Gm = (IF, I / G ^*} U {d^’^ 1 1 < * < rns’} U {£’*^"}) where and 
are defined as in Section ^ and {u,w) G whenever G{M){u) = u, 

G{M){w) = A, and there is an edge in G{M) from u to w. 
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We now define the structure Im over the same vocabulary as tM, of universe 
/^(Dom Im) by letting, for / G we let = {I*m{w) : tniw) = /}, and, 
for 1 < f < ms, : wi G Dom Im}- Clearly is an 

epimorphism from tM onto Im, and moreover G d]'^ implies 

(w,v) G and Im{w) G implies w G This follows that Im and Im 
are bisimilar as transition systems. 

The next lemma allows to accomplish the interpretation of the MSO theory 
of Im in that of Gm- 

Lemma 3. For any MSO sentence (p, one can construct effectively an MSO 
sentence ip such that Im |= P */ a^d only if Gm H 4’- 

Proof. It is enough to interpret the structure Im in the MSO theory of Gm- 
Since the universe of Im is already a subset of the universe of G(M), it is 
enough to write MSO formulas, say Uni{x), Pf{x), for / G and Di{x,y), 
for 1 < i < ms, defining the relations /^(^om Im), Py", and d*“, respectively. 

The formulas Pf{x) are obvious. To write formulas Di{x,y), the key point 
is to express a property “there is a finite computation path 77 starting from 
configuration (af,q^~^p) (where / is a signature symbol of arity k), and end- 
ing in a node labeled by a signature symbol”. Note that such a path must be 
maximal, and hence, by Lemma |2| there is at most one such path. Moreover, by 
Proposition ^ this computation can be carried by a finite automaton. (It follows 
easily from Lemma El that the computation empties pds at least once.) There- 
fore, it is routine to express the desired property by the known techniques, see 
Caucal E|. The existence of an infinite computation path can be expressed by 
negation of the existence of finite maximal paths. The argument for expressing a 
computation path starting from (aM,£) is similar. This allows to write formulas 
Di{x,y). Using formulas Pf{x) and Di{x,y), it is routine to write the desired 
formula Uni(x). □ 

By combining Proposition 01 and Lemma 01 we get the following result. 

Theorem 2. Let M be a closed boundedly typed X-tree of type 0, and let tM G 
T (U-*-) be the tree derived from M. Then the MSO theory of Im is reducible 
to the MSO theory of Gm, that is, there exists a recursive mapping of sentences 
ip 1 -^ <p' such that Im \= P iff Gm |= p' ■ 



4 Grammars 

We now fix two disjoint typed alphabets, N = {iVT-jT-gx and X = {XT-},-gT of 
nonterminals and variables (or parameters), respectively. A grammar \s a tuple 
Q = (X, U, S, E), where X is a signature, V C TV is a finite set of nonterminals, 
5" G U is a start symbol of type 0, and E is & set of equations of the form 
F z\ . ■ . Zm = w, where 7^ : ti — >■ • • • — >■ Tm — 0 is a nonterminal in V, Zi is a 
variable of type Ti, and w is an applicative term in T(X U U U {zi . . . Zm})- 
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We assume that for each F G V, there is exactly one equation in E with F 
occurring on the left hand side. Furthermore, we make a proviso that each non- 
terminal in a grammar has a homogeneous type, and that if m > 1 then = 0. 
This implies that each nonterminal of level > 0 has at least one parameter of 
level 0 (which need not, of course, occur at the right-hand side). The level of a 
grammar is the highest level of its nonterminals. 

In this paper, we are interested in grammars as generators of 27-trees. First, 
for any applicative term t over E U V, let be the result of replacing in t 
each nonterminal, together with its arguments, by T. (Formally, is defined 
by induction: /-*- = /, for f G E, X-^ = T, for X G V, and (sr)-*- = (s-*t-*-) if 
s-*- yf T, otherwise (sr)-*- = T.) It is easy to see that if t is an applicative term 
(over EVJV) of type 0 then is an applicative term over E-^ of type 0. Recall 
that applicative terms over E-^ of type 0 can be identified with finite trees. 

We will now define the single-step rewriting relation -Gg among the terms 
over E U V. Informally speaking, t -Gg t' whenever t' is obtained from t by 
replacing some occurrence of a nonterminal F by the right-hand side of the 
appropriate equation in which all parameters are in turn replaced by the actual 
arguments of F. Such a replacement is allowed only if F occurs as a head of a 
subterm of type 0. More precisely, the relation — T{E U R) x T{E U V) is 
defined inductively by the following clauses. 

• Fti . ■ .tk — t[zi:=ti , . . . , Zk'=tk] if there is an equation F zi . . . Zk = t (with 
Zi'. Pi, i = 1, . . . , k), and U G T{E U V)p^, for i = 1, . . . ,k. 

• If t t' then {st) -Gg {st') and (tq) -Gg (t'q), whenever the expressions in 
question are applicative terms. 

A reduction is a finite or infinite sequence to ~^g ~^g ... of terms in 

T{E U V). We define the relation t t' , where t is an applicative term in 
T{E U V) and t' is a tree in T°°(i7-*~), by 

• t' is a finite tree, and there is a finite reduction sequence t = to -Gg . . . -Gg 

tn = t' , or 

• t' is infinite, and there is an infinite reduction sequence t = to ~^g t\ — . . . 
such that t' = limt;);. 

To define a unique tree produced by the grammar, we recall a standard approxi- 
mation ordering on T (A’-’-): t' C t if Dom t' C Dom t and, for each w G Dom t', 
t'{w) = t{w) or t'{w) = T. (In other words, t' is obtained from t by replacing 
some of its subtrees by T.) Then we let |f/] = sup{t G T°°(A-*-) : S t}. It is 
easy to see that, by the Church-Rosser property of our grammar, the above set 
is directed, and hence |f/] is well defined since T (A-*-) with the approximation 
ordering is a cpo. Furthermore, it is routine to show that if an infinite reduction 
S = to — ti -G-g ... is fair, i.e., any occurrence of a nonterminal symbol is 
eventually rewritten, then its result t' = lim t^ is |f/] . 



Ftom grammar terms to A— trees. Given a grammar Q, we define a map 1g 
of T{E U y U X) into the set of A-trees (over A) such that 
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( 1 ) 110 (f) = /, if f is a function symbol f G S, 

(2) 30 (f) = a;, if f is a variable x £ Xq, 

(3) 30(f) = Xx[...x'„.']ig{r[ipi:=ti,...,(l)rn-=tm,xi-.=x[,...,Xn-=x'J), where 
the variables x'l, . . . ,x'^ are chosen so that no x( occurs free in any of 
tj, if f = Fti . . . tm, F(j)i . . . 4>mXi ■ ■ - Xn = r is an equation of Q and 
type((()i) = type(fi) for i £ [m]. 

(4) 30 (f) = 30 (fi) 30 (f 2 ), if f = fif 2 where f i : 0 — ^ r and f 2 : 0. 

It is a routine exercise to prove that 30 is well defined. To this end one may first 
define (co-inductively) an appropriate relation, establish its functionality and 
show that it corresponds to the above definition of 30 . 

We have the following characterization of |C/] in terms of operation 30 and 
derivation of trees from A-graphs (see m for a proof). 

Proposition 4. Let M = 30(5'). Then Im = |f/l- 



5 Decidability Result 



By Proposition 0 and Theorem |21 the decision problem of the MSO theory of 
a tree generated by a grammar reduces to that of the graph G(30(5)). We are 
now interested in generating, in a sense, the last graph by a grammar of level 1. 
Note, however, that the underlying tree structure of G{M) does not keep the 
complete information about the tree M . Indeed, while converting a A-tree M 
into a graph G{M) we have replaced (possibly) infinite number of labels Xxi and 
Xi, by only two labels, A and v, at the expense of introducing “back edges”. One 
might expect that these back edges are MSO definable in the underlying tree 
structure of G{M), but it is not always the case. A good situation occurs if in 
part of the definition of 2g we need not to rename the bound variables (i.e., 
we can take x( := Xi, for i = 1, . . . , m). 



Definition 3. Let G he a grammar of level 2. We call the grammar unsafe if 
there are two equations (not necessarily distinct) F<f>i . . . 4>rnXi . . . x„ = r and 
F'(j)[ . . . (j)'^ix[ . . . x'^, = r' (where the cf's are of level 1 and the x’s of level 0) 
such that r has a subterm F't \ , . . . , such that some variable Xi occurs free in 

some term tj. Otherwise the grammar is safe. (Note that in the above, Xi may 
occur in arguments of F' of type 0, but not in those of level 1.) 

It is easy to see that if a grammar is safe then in the definition on 30(5) we are 
not obliged to introduce any new variables. 

Let G — (X, y, 5, E) be a safe grammar of level 2. We may assume that the 
parameters of type 0 occurring in distinct equations are different. Let = 
{xi, . . . , xl} be the set of all parameters of type 0 occurring in grammar G- We 
define an algebraic (i.e., level 1) grammar = (X“, P“, 5“, A“) as follows. 

First we define a translation a of (homogeneous) types of level 2 to types 
of level 1 that maps (0^ — >■ 0) to 0, and (0^^ —?> 0) (0^™ —>■ 

0) — >■ 0^ — 7> 0 to O’" — 0. We will denote a(r) by r“. Let = E U 
{@, c, Axi, . . . , Axl, Xl, . . . , Xl}, where all symbols from E as well as (former) 
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parameters Xi are considered constant, the symbol @ is binary, and the symbol 
c as well as all symbols Xxi are unary. Now, for a typed term r : r over signature 
S, we define a term : r“ over as follows: 

• for a variable F -.t, is a fresh variable of type r“, 

• s“ = s for each parameter of G (thus parameters of level 0 become constants, 
and parameters of level 1 change their types to 0) , 

• if r = Fti . . . then r“ = . . ,t‘^, whenever F is a, nonterminal of type 

(0'=i 0) -)• 0) 0^ -)> 0, 

• if r = (ts) with s : 0 then r“ = 

Now := {F°‘(j)i . . . (prn = Xxi . . . Xxn-r°‘ I F (j)i . . . (j)rriXl ■ ■ ■ Xn = T € E} 
(where the (/)’s are of level 1 and the a;’s of level 0) and V°‘ = {F°‘ : F G V} 
which completes the definition of C/“. 

Now let = |C/“] be the tree over 17“-*- generated by Q°‘, and let t“ be the 
logical structure associated with it. We transform t“ into a structure tp over the 
vocabulary {pf : f G 27*} U {di 1 1 < i < mi;c} U {i7} as follows. The universe 
remains the same as in t“ as well as the interpretation of symbols di and pf, 
for / different from Xxi and Xi. Furthermore, w G whenever w G pX^^-, and 

w G p\° whenever w G for some Xi G X^“. Finally, we let {u,w) G 
whenever w is binder of u, i.e., t“(u) = a;^, = Xxi, and w is the closest 

ancestor of u labeled by Xxi. 

Lemma 4. The structure tp is MSO definable in the structure t“. 

Furthermore we claim the following. 

Lemma 5. Let grammars Q and Q°‘ he as above, and let M = Tig (S'). Then the 
structure tp coincides with the structure Gm defined for M as in Section 0 

We conclude by the main result of the paper. 

Theorem 4. Let Q be a safe grammar of level 2. Then the monadic theory of 
|C7] is decidable. 

Proof. Since the tree t“ is algebraic, its MSO theory is decidable, by the result 
of Courcelle |S|. Let M = Tlg(S). By Lemmas 0 and E] the MSO theory of Gm 
is decidable. By Proposition 0, |C7] = tM- It is easy to see that, by construction, 
M is boundedly typed. Hence the result follows from Theorem El □ 

Example 1. Let /, g, c be signature symbols of arity 2,1,0, respectively. Consider 
a grammar of level 2 with nonterminals S : 0, and F, G : (0 — )> 0) — 0 — 0, and 
equations 

S = Fgc Fifx = f (^E{Gip) (px)^ X Gify = if {ify) 

It is easy to see that this grammar generates a tree t with Domt = : 

m < 2"}, such that t(I") = /, t(l”2^") = c, and t{w) = g otherwise. Since 
Bomt considered as a language is not context-free, the tree t is not algebraic 
(see 13). Since the grammar is safe, the decidability of the MSO of t follows 
from Theorem 0 
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Abstract. This paper shows how a symmetric and non-deterministic 
cut elimination procedure for a classical sequent calculus can be faithfully 
simulated using a non-deterministic choice operator to combine different 
‘double-negation’ translations of each cut. The resulting interpretation 
of classical proofs in a A-calculus with non-deterministic choice leads to 
a simple proof of termination for cut elimination. 

1 Introduction 

The problem faced when analysing classical logic from a computational per- 
spective is that the very wildness which makes it hard to understand is also 
what makes it interesting — its symmetries cannot be disentangled from the 
non-deterministic behaviour of cut elimination, and this non-determinism is a 
formidable obstacle to proof theoretical, semantic, or computational interpreta- 
tions of classical proofs. 

Previous analyses, such as [10, 16, 11,7] have often resolved this problem by 
‘controlling’ the non-determinism of classical cuts out of existence by predeter- 
mining their behaviour, either systematically or by attaching additional infor- 
mation to proofs. This permits an interpretation in terms of a deterministic 
system such as double negation translation [13], control operators [14] or ‘linear 
decoration’ [7]. Although these interpretations have generated many key insights 
(ingredients of the approach described here) they seem inevitably to lose some 
proof-theoretic content because only a limited selection of the possible cut elimi- 
nation behaviours can be pre-determined (see [2, 17] and the discussion in Section 
1.2 below). On the other hand, more general symmetric and non-deterministic 
cut elimination and normalisation procedures have been described via rewriting 
systems for term-annotations of classical proofs [16, 2, 17] but without compara- 
ble analysis in terms of simpler or more well-behaved logics. The work reported 
here is an attempt to make a connection between these two approaches by fur- 
ther examination of the choices encountered in classical cut elimination, leading 
to a “deconstructive” translation into intuitionistic logic plus non-determinism. 

1.1 Contribution and Organization of the Paper 

The primary objective of this paper is to describe a ‘double-negation’ transla- 
tion on propositional formulas and proofs of LK which is sound with respect 
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-AXIOM 



r,A r,A^ 
r 



-CUT 



r 



r,A 

r,A r,B 



WK 



r,A,A 

FA 



CON 



AND 



r,Aj 



OR,: i = 1, 2 



T,AiVA2 

Table 1. Additive LK with multiset sequents 



to a simple and symmetric cut elimination protocol, and thereby preserves non- 
determinism and makes it explicit. The proof theoretical dividend of this trans- 
lation is immediate — a simple proof of strong normalisation for cut elimination 
(moreover, one which extends readily to second order). Less directly, the transla- 
tion suggests new semantic and computational interpretations of classical logic. 

The remainder of Section 1 consists of a discussion of classical cut elimina- 
tion and non-determinism. In Section 2 a cut elimination procedure for additive 
(propositional) LK is formally dehned by reduction of annotating terms of the 
symmetric A-calculus, ^ of Barbanera and Berardi [2]. Section 3 describes 
LK| , a version of LK which incorporates a non-logical rule into proofs which de- 
termines how cuts will be eliminated. This allows the non-determinism inherent 
in cut elimination to be presented in terms of a choice between different proofs 
of the same formula. Proofs of LK| can be annotated with terms of an ordinary 
simply-typed A-calculus as a form of “double-negation-translation” . In Section 
4, LK proofs (represented as terms) are translated into the A-calculus ex- 

tended with an erratic choice operator, by combining different LK| disambigua- 
tions of each cut. Soundness of the translation implies strong-normalisation of 
the cut elimination procedure. There is also a stronger soundness result; the 
normal forms of the translation of a term which annotates a proof are precisely 
the translations of the terms which annotate its cut free forms. 

1.2 Cut Elimination and Non-determinism 

Definition 1 (Sequent Calculus LK). Formulas of the propositional calculus 
are given in ‘negation normal form’ — they are generated from a set of literals 
(atoms, a,j3,... and negated atoms a-^ , , ...) by conjunction and disjunction: 

A ::= a \ a"*" | A /\ A \ A\/ A 

Negation is defined by involutimty and dcMorgan duality: i.e. 

(a-L)-L = a, {AM B)^ = A^ ^ B^ {A ^ B)^ = A^ M B^ . 

Seguents are multisets of formulas derived according to the rules in table F 

Cut elimination [8] proceeds by transforming each logical cut in which both 
cut formulas are main conclusions of the last logical rule, into a cut on two of 
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the immediate subformulas, and transforming non-logical, or commuting cuts 
into logical cuts by commutation — moving the cut rule up the proof tree by 
successively commuting it with the rules above it on the right and left hand 
side (and duplicating or erasing proofs when moving past A-introductions, and 
structural rules in which the cut formula is main). 

The non-determinism which arises in the additive version of LK considered here 
comes from the ‘structural dilemma’ described in [7]. If neither cut formula is 
the main conclusion of the last logical rule, then it is necessary to choose which 
branch to commute the cut up Rrst. Because of the presence of structural rules, 
this choice has important consequences. A well known example is the observation 
of Lafont [12] that any two proofs of the same formula can be merged (using 
Cut) into a proof which has cut free forms derived from both of the original 
proofs. 

Definition 2. Given proofs tt, tt' h F , form tt or tt' h T as follows: 

f 

7T 7T 

r r 

WK WK 

r,A r,A^ 

CUT 

r 

Commute the cut up the left branch, and the right branch is discarded, and 
vice-versa. So if tt, tt' are cut free, then there are two cut free forms of tt or tt' 
— 7T and 7t'. Thus any congruence (for instance, a denotational equivalence) 
generated by such a cut elimination procedure must equate tt and tt' and hence 
be trivial. However, this is consistent with an idea underlying the geometry 
of interaction [9], and game semantics [4,1,5], that cut elimination is a pro- 
cess analogous to computation. Non-determinism is both a standard property 
of computational processes and a key feature of many important algorithms and 
the physical systems on which programs are run. But can a connection between 
non-deterministic computation and non-deterministic cut elimination be estab- 
lished? Computationally, or corresponds to an erratic ‘choice operator’ [15], 
showing in principal that many non-deterministic algorithms may be extracted 
from proofs. A more difficult question is whether there are natural proofs which 
have computational content which is non-deterministic. Coquand [5,6] has de- 
scribed examples of symmetric classical existence proofs from which two different 
witnesses can be extracted by different double negation translations, but much 
work remains to be done. 

The structural dilemma can be seen as a problem of ambiguity — classical 
proofs do not carry sufficient information to determine their cut elimination 
behaviour, and so additional information must either be supplied with the proofs, 
or during the cut elimination process. The most comprehensive and systematic 
attempt to describe and analyse the former option is the LKtq calculus (and 
refinements) proposed by Danos, Joinet and Schellinx [7]. This ‘disambiguates’ 
proofs by attaching one of two complementary colours, t and q to each formula, 
to determine how to eliminate any commuting cuts (the details of how are not 
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important here). This annotation permits a confluent cut elimination procedure 
to be dehned which is preserved by a translation of coloured formulas and their 
proofs into linear logic (linear decoration). So, for example, the two colourings 
of the cut formula A in the proof tt or tt' correspond to the two possible cut 
elimination strategies; discard tt or discard tt'. 

However, as observed by Urban and Bierman [17], predetermining the be- 
haviour of the cuts of a proof by annotating its formulas places a somewhat 
arbitrary restriction on cut elimination behaviour. Reducing a cut on a formula 
C can generate multiple sub-cuts on its subformulas. If the subformulas carry 
extra information such as colouring, then that will also be copied, and hence 
each subcut on the same subformula must be reduced in the same way. So (as 
shown with an example in [17]) allowing the structural dilemma to be resolved 
afresh at each cut allows more normal forms to be reached. Moreover, reduction 
by colouring cut formulas lacks the following transitivity property: say that tt 
colour-reduces to tt' whenever there is a colouring of tt, tt' as tTc, 7r( such that tt^ 
reduces to 7r(; then it is not the case that if tt colour-reduces to tt' and tt' colour- 
reduces to 7t" then tt colour reduces to tt", as the following example shows. 
Suppose IT \- r, A, X \- r, B and p h F, A A B are distinct (cut free) proofs. 
Consider the following proof of F, A A B . 



r, A r,B 

WK WK D,D-^ 

r,c,A r,c,B r,A A B ; 

ORi ORi WK 

r,C V (D-^ A D),A r,C V (D-^ A D),B r,C-^,AAB r,DvD-^,AAB 

AND AND 



r,C V (D-^ A D),A A B 



r, C-^ A(D V D-^), A AB 



■CUT 



r,A A B 



This reduces to: 



r,A r,A A B 

WK WK 



r,B r,A A B 

WK WK 



r,C,A A B,A r,C^,A A B,A r,C,A A B,B r,C^,A A B,B 

CUT CUT 



T,AaB,A 



t,aab,b 



■AND 



r, A A B, A A B 



■CON 



r,A A B 



In the original proof, all of the occurrences of C must receive the same colour, 
— i.e. the structural dilemma must be resolved in the same way on each of 
the subcuts, hence there are only two cut free forms (having garbage-collected 
structural rules): 
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r,A r,B '■ 

AND r,AAB 

r,AAB 

But the cut formula C can be coloured differently (i.e. the structural dilemma 
can be resolved differently) in the two cuts, yielding another two cut free forms: 

■K P P X 



r, A r,AAB 

WK WK 

r,AAB,A r,AAB,B 

AND 

B,AaB,AaB 

CON 

r,AAB 



r, A AB r,B 

WK WK 

r,AAB,A r,AAB,B 

AND 

D,AaB,AaB 

CON 

r,AAB 



This example does not rely on any specihc property of colouring; any attempt 
to determine cut elimination by adding information to formulas will encounter 
the same problem. Indeed, because of the large bounds on the number of cuts 
which may be generated in the course of cut elimination of a proof any fully 
general disambiguation will have to carry a similar amount of information. Non- 
determinism can be seen as a way of achieving the right level of generality by 
allowing the choice of how to reduce cuts to be made during cut elimination. 
Many of the choices introduced may be trivial in that they do not lead to different 
normal forms or shorter cut elimination. But representing them explicitly is a 
step towards determining which choices really do matter. 



2 Terms for Classical Proofs 

A system for annotatating classical proofs with appropriate terms will be used 
to formally dehne both the symmetric cut elimination protocol and the transla- 
tion into intuitionistic proofs with non-determinism. The symmetric A-calculus 
[2] has been adopted for this role, so that normalisation of annotations 

corresponds to cut elimination of proofs. This choice of annotation for classical 
proofs should be seen as a practical decision motivated by the simplicity of the 
typing-judgements and reduction system for (stressed in [2]). It is possi- 

ble, however, to adapt the translation to other calculi for classical sequent proofs 
such as Urban and Bierman’s [17], or annotation with the A//-calculus [16]. 

The types of A"®^™ are the propositional formulas, together with a distin- 
guished type T. The formal dehnition of terms is given in [2]. A restricted 

subset of these terms (the (proof) annotations) is dehned by assignment to 
sequent proofs in table 2 — a proof of T = A, 5, ... is annotated with a term- 
in-context r-^ h t : T, where is a context of variables of negated types 
or names a : A-^,b : B-^,.... This is similar to Urban and Bierman’s calculus 
for classical sequents [17] — the main difference is that the single operator ★ 
(“symmetric application”) is used both to annotate the cut rule itself and also in 
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AXIOM 



r,a:A-^\~s:l. r,b:A\~t:l. 



CUT 



rH-.L 

r,a:A-^H:l. 



WK 



r,a:A-^ ,b:A-^\~t:A 
r,c:A-^\-t[c/a] [c/b]:A 



r,a:A-^^.s:A r,b:B-^H:A r,a:A^H:A 

r,c:{AAB)-^hcir{Xa.s,Xb.t):A^^^ T,&:(AiVA2)-Lh&^iiii(Aai):T 



Table 2. Derivation of proof-annotations terms assigned to LK proofs) 



the introduction rules for the logical connectives. This is because the purpose of 
the annotations for the introduction rules is to determine their behaviour under 
cut elimination, and names are simply place-holders for which subsequent cut 
formulas can be substituted. 

2.1 Cut Elimination 

The cut elimination procedure described in the introduction is implemented by 
reduction rules for 

Definition 3. Cut reduction by rewriting of annotations: 

Xa.t'ics — ^ t[s/a] t~icXb.s ^ s[t/b] 

ini(t)-k{si, S 2 ) — :t-ksi {si, S2)^±ni(t) — ^ Si^kt 

The first pair of rules implement structural cut-reduction by directly transport- 
ing copies of the proof of one cut formula to each of the points where the other 
was introduced, the latter two implement logical cut-reduction. So, for example, 
if we have annotations s,t : T, we can form the non-deterministic merging 

s or t = Xa : A.sirXb : A~^ .t (a,b ^ FV{s) LI FV{t)) 

such that s or t ^ s and s or t — ^ t. 

Each full cut reduction step corresponds to three different operations on 
proofs — commute and copy the cut up one branch, commute and copy up the 
other branch, and reduce all resulting logical cuts. One consequence is that the 
price to pay for the simplicity of the rewriting system is that it lacks a kind of 
subject reduction property — the set of proof annotations is not closed under 
XSym reduction. For example, Xa.(a'^rb)'^rXc.(d'^rc) — ^ (Xc.d'^rc)'^rb. However, 
the important point is that the notion of proof annotations is closed under 
normalisation. To show this, a larger set of reachable terms — which is closed 
under reduction — can be defined by including the intermediate logical and 
structural cut reduction steps as term-assignment rules. 

Definition 4. Define the reachable terms by adding the following additional for- 
mation rules to those given in table 2: 
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r,a:Ai\~s:l. _T,&:j4^|-7:_L, r,c:Ai\~r:l. 
r\-±Hi(Xc.r)'ic{^a.s,Xh.t):A, (Aa.s,A&.7)'^inj(Ac.r):_L 



r,a:a-^\~t:A r,a:a\~t:A 

r,a':a-^\~a''^cXa.t:A F ,a' :a\~ Xa : A 

r,h:Ai\/A 2 H:A r,c:Alhs:A, r,a:A-^\-s:A Fb:B-^H:A F,c:AAB\-r:A 
r\-Xb.t'^cini(Xc.s):A ’ F\-Xc.r'^c{Xa.s,Xb.t) 

Proposition 1. Lei t be an annotation. If s is a normal form oft then it is the 
annotation of a eut free proof 

Proof. We establish the following two facts: 

— If r is a reachable term and r r' , then r' is a reachable term. 

— A reachable term is in normal form if and only if it is the annotation of a 
cut free proof. 

3 LK| — a Confluent Calculus 

The basic idea of the translation of A'®^™-annotated proofs will be to give two 
‘different disambiguations’ for each cut (or potential cut), corresponding to the 
two different choices represented by the structural dilemma, and then to use a 
non-deterministic choice operator to combine them. The first step is to settle on 
a means of determining the behaviour of proofs under cut elimination by adding 
information. One possibility is to attach this information to formulas — this is 
the solution proposed in the LKtq calculus [7]. But combining proofs of different 
formulas non-deterministically is difficult when it comes to co-ordinating the 
choices of colouring for cut formulas. 

There is another option. The structural dilemma can be resolved by allowing 
different cut elimination behaviours to be captured as different proofs of the 
same formula. This is achieved here by adding information to proofs in the form 
of a new, non-logical rule — ‘lifting’ — which converts a formula which appears 
as the main conclusion of a logical rule or axiom into one which can be used as 
the main premiss of a logical rule or cut. Different cut elimination behaviours 
for the same LK proof are obtained by varying where the liftings are included. 
This allows the structural dilemma to be expressed as a simple erratic choice 
between two proofs of the same formula — i.e. A-terms of the same type. 

Definition 5. The types o/LK| (represented as C,D, . . .) eonsist of the propo- 
sitional formulas (A, B, . . .), together with lifted formulas \_A \ , \_B\ , . . .) 

C-.-.= A\ [AJ 

The rules for the seguent ealeulus LK| are given in table 3. 

Note that any proof of LK| has (as its ‘skeleton’ [7]) a corresponding LK proof 
of the same sequent which omits all of the liftings. The cut elimination procedure 
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AXIOM 



a,a^ 

r,A r,A-^ 
r 

r 



CUT 



WK 



r,c 

r,\A\ r,\B\ 
r,AAB 



AND 



FA 



r,[A\ 

r,\A\ r,\A^\ 



LIFT 



^ [CUTJ 

r,c\c 



r,c 



CON 



r,\A,\ 

r,AA A2 



OR, : 1 = 1,2 



Table 3. Classical sequent calculus with lifting, LK| 



for LK| proofs is similar to that given for LK, except that polarities (together 
with the lifting rule) will be used to resolve the structural dilemma. The polarity 
of a formula is simply determined by its outermost connective. 

Definition 6. Positive formulas are defined: P ::= \ A \/ B . 

Negative formulas are defined: N ::= a \ A A B. 

The key feature for cut elimination is therefore that at each cut, one cut formula 
is positive and the other cut formula is negative. Thus the structural dilemma 
can be expressed in terms of polarities; each commuting cut can be reduced by 
commuting it up the branch containing the negative cut formula Rrst, or up 
the branch containing the positive cut formula first. Lifting allows both of these 
possibilities to be combined without non-determinism. 

— A structural cut between two lifted formulas reduces by transporting the 
proof of the lifted negative formula to each of the points where the positive 
formula was lifted. Each of these intermediate cuts reduces by transporting 
the proof of the newly lifted positive formula to the point where the negative 
formula was lifted. 

— A “logical lifted cut” (i.e. a cut in which the last rule on both sides is the 
lifting of the cut formulas) reduces directly to a cut between the unlifted 
formulas. 

— A structural cut between unlifted formulas reduces first by transporting the 
proof of the positive formula to each point where the negative formula was 
introduced, and then reducing each intermediate cut by transporting the 
proofs of the freshly introduced negative formulas to the points where the 
positive formula was introduced, creating logical cuts. 

Thus different cut elimination protocols for LK can be simulated in LK| by 
choices of where (not whether) to include liftings, as will be shown by using 
non-determinism to simulate symmetric cut elimination. 
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3.1 Assigning A-terms to LK| Proofs 

The formal representation of the cut elimination procedure is analogous to the 
symmetric calculus. Terms of the simply-typed A-calculus with pairing are as- 
signed to proofs of LK| and cut elimination is implemented by normalisation. 
An alternative would be a translation into proofs of linear logic, which could 
also be used to analyse the “logical dilemma” [7] encountered in cut elimination 
of proofs with multiplicative logical rules. 

The term-calculus has a distinguished (empty) ground type 0 corresponding 
to the ‘response type’ of a cps translation; the other ground types are the atomic 
propositions of LK. Representing T => 0 as ~<T , we give a translation of positive 
formulas as negated types, negative formulas as doubly negated types. 

Definition 7. Each LK|-t?/pe C is mierpreied as a X-iype [C] as follows: 

- [a] = = —<a 

[L^Jl = -[^^1 

- [A A B] = -'-'(-'-'[A] X -'-'[B]) 

- [A V B] = -'(-'-'[A-'-] X -'-'[B-'-]) 

Note that for all positive formulas, [B-*-] = ~'[B-*-] and |[BJ] = “'“'[B], whereas 
for all negative formulas, [A] = “'[A-*-] and |[AJ] = [A]. 

Definition 8 (Annotation of LK| proofs). For each LK| formula A, define 
a \-type A such that ~<A = [A]; t.e. a = -la, a-*- = a, [AJ = [A-*-], 

A A B = “'(“'“'[A] X “'“'[B]), A\/ B = “'“'[A'’"] x “'“'[B'’"] 

Proofs o/LK| sequents C,D,. . . are annotated with lambda terms-m- context: 

X : A, y : B , u : 0 as defined m table 4 (X-terms are denoted u,v,w, . . . to 
distinguish them from -terms). 

(The operation (J is defined such that if v : lf|A||, then (t;! : -i-i|fA|; 

b : =e\v- [A^ll = A* : [A] ^ 0.* v.) 



, _ AXIOM 

x'.a-^- ,y.cl\-y x\Q 



r,x-.p\-y.o 

P,y: [P\\~y A*.t;:0 ’ 



r,x:N\-y:0 

P,x: [Aj ht;:0 



LIFT 



P,x:P\-u:0, r,y:P-^\-v:0 
P\-{Xy.v) Xx.u:0 



CUT 



B,*: I B ||-m:0, P,y:\ P-^ \\-v:0 
Bh(A*.M) Xy.v.O 



[CUTJ 



Bhr;:0 

P,x:C\-v:0 



WK 



r,x:C,y:C\~v:0 
r,z:C\~v[z / X ,z / y]:0 



CON 



B,*: [AJ |-m:0 P,y:[B\\-v:0 P,x:[Ai\\-u:0 

r,z:(AAB)\-z ( [A*.m] , [Aj/.r>] ):0 B,j/:(Ai VA2)l~7rj'(t/) A*.m:0 



Table 4. A-calculus annotation of LK| 
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Definition 9. Cut eUmmation for LK| is by /Sir -reduction of annotations: 

\X.V U v[u/x] Tri{{vi,V2)) Vi 

Note that this implements the procedure for LK| cut elimination informally 
described above. As for A'®^™-annotation of LK proofs, the set of annotations 
is not closed under reduction, but is closed under normalisation, which can be 
shown by defining a set of reachable terms and observing that a reachable term 
is a normal form if and only it annotates a cut free proof. 

Proposition 2. Cut elimination for is confluent and strongly normalising. 

Proof. This is a direct consequence of strong normalisation and confluence of 
the simply-typed A-calculus with pairing. 



4 Simulating Non-deterministic Cut Elimination 

The target language for the translation of A'®^™-annotated LK proofs is a simple 
extension of the A-calculus with non-deterministic choice. 

Definition 10. The -calculus is the simply-typed X-calculus with pairing, aug- 
mented with the following rule of ‘superposition’; in computational terms, a kind 
of “erratic choice” construct [15]: 

r\- u:T ^0 r\- v.T ^0 

r\-u-\-v:T^0 

The choice expressed by u-\-v is between functions rather than arguments, so it is 
resolved when it calls (is applied to) another procedure, rather than vice-versa. In 
other words, reduction of superposition is lazy. This is because non-determinism 
in the classical sequent proofs is incorporated in the logical rules as well as the 
cut rule, but it is only when the logical rules are unpacked, in the course of cut 
elimination, that the choice can be resolved. Thus cut free proofs — and terms 
in normal form — should retain the possibility of non-deterministic behaviour. 

Definition 11. Superposition reduction: 

(ui + U 2 ) V — Ui V (i = 1, 2) 

The union of (the compatible closure of) this reduction with flir reduction on 

A"*" will be written and the transitive reflexive closure, The following 

is a straightforward inference from strong normalisation of the simply-typed A- 
calculus. 

Proposition 3. (A"*“, — ^) is strongly normalising. 
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4.1 Translating the Strnctnral Dilemma 

Both of the choices presented by the (polarized version of the) structural dilemma 
for a commuting cut can be simulated by different (and in a sense, canonical) 
choices of where to lift the cut formulas in an associated LK| proof. If the 
positive cut formula was lifted immediately after introduetion, then according to 
the LK| cut elimination protocol, the cut is eliminated by commutation up the 
branch containing the negative cut formula Rrst. If the positive cut formula was 
lifted immediately before the eut then the cut is eliminated by commutation up 
the the branch containing the positive cut formula first. (Note that where the 
negative formula was lifted has no effect). 

LKtq can therefore be translated into LK| by using the colours to determine 
where the positive formula should be lifted. However, using the typed ‘superposi- 
tion’ operator, we can also introduce explicit choices between these two possible 
liftings of the positive cut formula, and hence simulate the structural dilemma 
and reduction of proofs. So we shall now give a translation of A"®^™ anno- 

tations into A"*" such that the normal forms of each annotation and its translate 
are the same. 

(Where it matters) negative names (i.e A'^^^-variables of positive type) will 
be represented as m,n, . . ., and positive names as p,q, . . .. We shall assume that 
each positive name p : P is associated with a complementary pair of fresh names 
P[,p-\ '■ P, with the intended meaning that an introduction named with is 
translated as an introduction followed by a lifting, but an introduction named 
with is not. The binding of p is translated as a choice between substituting 
for p, translating, and then binding or substituting for p, translating, 
binding and lifting the result. 

Definition 12. The translation of propositional formulas is as in definition 
1. The translation of annotations assumes a bijeetive eorrespondenee between 
names n : N,pi,p-^ : P, and -variables x„ : N , Xp^ : P, : -<-<P . 

- Xpi, 

^y-Xn y 

- [An.t] = Xxn.m, 

[Ap.t] = A*p|.[t[p|/p]] -b (Xy.y A*p|.[t[p|/p]]) 

- b^(si,S2)l = (rblll, r[s2ll), 

- bi^ini(s)l = T^iixpi) [s], 

bt^ini(s)] = A*.7ri(*) [s] 

- [Ap.s^An.t] = [An.t^Ap.s] = [Ap.s] [An.t] 

E.g. Is or tj = (A*a|.[s] -b Az.z A*a|.[s]) Xxi.lt}. 

(A*a|.[s] -b Az.z A*a|.[s]) A*j.[t] ^ A*a|.[s] A*j.[t] — ^ [s] 

b*aT-W + A*J.[t] ^ (Az.z A*a|.[s]) A*j.[t] ^ [t] . 

In order to formally relate A"®^™ reduction of annotations to A"*" reduction of 
their translations (and derive the termination result) it is necessary to extend 
Definition 12 to a translation of the reaehable A"®^™ terms into A"*". 

Definition 13. Translation of reaehable terms: 
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- [Aai^&] = [&^Aai] = A*a.pl 

- |Ap.r^(s,t)] = A*p|.[r] ([[s]], [[t]]) 

- [An.s^ini(t)] = A*„.[sl (A*.7ri(*) {tj) 

- [ini(r)^(s,t)] = |(s,t)^ini(r)] = 7ri(([[s]], [r] 

Proposition 4. For any reachable terms s,t: t ^ s implies [t] ^ [s]. 

Proof, is by observing that redexes of annotations translate to a series of 

redexes of A"*", e.g. [Ap.t-^An.s] = 

(A*p|.[t[p|/p]] + Az.z \xp.lt\pi/p]}) [An.s] — ^ [An.s] 

— ^ ~ (proof by structural induction). And 

{\xp.lt[p^/p]} + \z.z \xpi.lt[pi/p]J) At/„.[s] — ^ (Az.z \xpi.lt[pi/p]) At/„.[s] 

— ^ At/„.[s] Xxp.lt[pi/p]j — ^ W[A*p|.[t[p|/p]]/t/„] = ls[Xp.t/n]}. 

[in,-(t)^(si,S2)l = 7 ri(([[si]], [[S2II)) W " [«*'! W = if has a 

positive type, or (Az.z [si]) [t] ^ [t] [si] = if Si has a negative type. 

Corollary 1. The cut elimination procedure for LK given by annotation 

and reduction is strongly normalising. 

This is of course already a corollary of the fact that reduction is terminat- 

ing [2]. Proof of that result, however, is given by ‘a non-trivial version of Tait 
and Girard’s [reducibility candidates] method’. Proving strong normalisation by 
translation has the desirable consequence of limiting the use of such logically 
complex methods to a few well known intuitionistic cases (this is signihcant for 
the extension to second-order LK). 

The following proposition and its corollary strengthen the soundness re- 
sult given in Proposition 4 by establishing that the translation is faithful; A"*"- 
normalisation of translated annotations implements cut elimination for LK pre- 
cisely. 

Proposition 5. If u is a A"*" term such that u [s] for some reachable term 
s and V is a A"*" term such that u ^ v, then there exists a reachable term t such 
that V [t] and s ^ t. 



P-K 






T T1 U I 

w I 



Corollary 2. For any term M of term or A"*", let Nf{M) be the set of 

normal forms of M . Then for any annotation s, Af([s]) = {[t] | t C Nf(s)}. 

To prove Proposition 5, we Rrst establish it in a restricted form. 

Lemma 1. If s is a reachable term, and u is a X~^ -term such that [s] — ^ u, 
then there is a reachable term t such that s ^ t and u [t]. 
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Next we prove that a form of the Church-Rosser theorem holds for A"*" (using a 
method which is a straightforward variant of the standard proof of that theorem 
— see e.g. [3]). 

Lemma 2. Suppose u is a A"*" term sueh u ^ v and u v' , then there exists 
a -term w sueh that v w and v' ^ w . 



w- 

\ 



\ V 
PI 

Lemma 1 

Now Proposition 5 can be proved by induction on the maximum number of steps 
required to reduce u to normal form. There are two cases to consider, u = [s] 
and M yt [s]. 



u se- V 



Pit 

I 

I 

y' » W 

Lemma 2 



[s] ^ m' ^ V U V 

\ I I I I 



\ 1 
"x 1 

\ [] 1 


1 

1 

1 


^•K 




1 

1 

P-K 

1 


\ /3n 

\ 1 
\ 1 


Pn 1 
1 




1 

/ 


[-1 X 
» 




.1 

\ 


^ w 

1 



\ i 

PI 



Case u = [s] Case u ^ [s] 

u = [s] Either u = v, or u — ^ u' ^ v. Then by Lemma 1, there exists a 
reachable t such that u' -^p-^ [t] and s ^ t. The induction hypothesis now 
applies, as u' reduces to normal form in fewer steps than u, and so there is 
some reachable r such that v -^p-^ [w] and t ^ r and s ^ r as required. 
u [s] Suppose u ^p-^ [s] and u — ^ v. Then by the restricted Church-Rosser 
property (Lemma 2), there exists w such that [s] — ^ w and v -^p-^ w. 
Now the induction hypothesis applies, as [s] normalises in fewer steps than 
u, so there exists a reachable t such that s ^ t and w ^p-^ [t] and hence 
-^pw PI as required. 



u 
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5 Further Directions 

Several avenues for further research exist which are beyond the scope of this 
paper, notably the extension to second order logic and the use of lifting and 
non-determinism to give denotational models of classical proofs. 

It is relatively straightforward to extend the work outlined here to second- 
order. Using the second order symmetric A-calculus, sequent rules for the intro- 
duction of the quantihers can be annotated as follows: 

Ca:.4(A-)^H:l Ca:.4(T)^hi:l 

C,6:(V.Y./l(.Y))a|-6*/LY.Aa.^:l '-intro ^ 4-mtrc 

with cut elimination implemented by the rules: 

AX.sir{T, t) s[T/X]irt {T, t)irAX.s s[T/X]irt 

LK| extends naturally to second order, and can be annotated with terms of 
System F with (a representation of) pairing, by extending the double negation 
translation: 

This yields a translation of classical second-order proofs into System F with su- 
perposition. Since the latter is strongly normalising (easy to prove as a corollary 
of strong normalisation for System F), this shows that cut elimination for sec- 
ond order LK is strongly normalising without the need for a new and logically 
complex proof. 

The analysis of classical proofs described so far has been wholly syntactic, 
but it suggests a recipe for a semantics of classical proofs in any model of the 
A"*"-calculus. However, there are a number of issues to adress if the translation 
of classical proofs into intuitionistic logic is to yield a reasonable semantic con- 
struction. For example, the interpretation given here is very liberal with the 
double-negation operator. This is necessary to represent the many cut elim- 
ination strategies available in classical logic compared with the intuitionistic 
case; for instance V,A are not associative — [T A (5 A U)] is not isomorphic 
to |(T A 5) A U] — and this faithfully reflects the fact that A A (B A C) and 
(A A B) A C behave differently as cut formulas because of the different order 
of introduction of the disjunctions. However, associativity would seem to be a 
minimal requirement of the logical connectives as semantic operators. To regain 
it, the double negation translation can be restricted so that it includes liftings 

— and hence cut choices — only when polarities alternate: e.g. let [[AtJ] = [At], 
[L^Jl = --[^L IAAB} = ILAJ] X IL5J], IAWB} = -([T^ A 5^]). 

Then IAA(BA U)] = [[AJ] x ([[SJ] x [[UJ]) - ([[AJ] x l[B\}) x [[UJ] = 
|(T A 5) A U]. By contrast, [T A (5 V U)] = [[TJ] x — ([5-^ A U-L]). 

This leads to the question of whether it is possible to give a ‘most general’ cut 
elimination procedure for classical proofs, and whether it is possible to translate 
it into a constructive framework. The translation given here is not fully complete 

— because more diverse behaviours exist in the target language than in the 
symmetric A-calculus — is it possible to capture all cut elimination behaviours 
with a full completeness result? 
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Abstract. We present an extension of the Interaction Abstract Machine 
(lAM) [10, 4] to full Linear Logic with Girard’s Geometry of Interaction 
(Gol) [6]. We propose a simplified way to interpret the additives and the 
interaction between additives and exponentials by means of weights [7j. 
We describe the interpretation by a token machine which allows us to 
recover the usual MELL case by forgetting all the additive information. 



The Geometry of Interaction (Gol), introduced by Girard [5], is an inter- 
pretation of proofs (programs) by bideterministic automata, turning the global 
cut elimination steps (/3-reduction) into local transitions [10, 4]. Because of its 
local feature, the Gol has proved to be a useful tool for studying the theory and 
implementation of optimal reduction of the A-calculus [8, 2]. It is also strongly 
connected to some work on games semantics for Linear Logic and PCF ([1, 3] 
for example). Maybe the most exciting use of the locality of Gol is the current 
work, aiming at using it for implementing some parallel execution schemes [11]. 

Although the Gol has been very present in various works, its most popular 
version only deals with the MELL fragment of Linear Logic (which is sufficient 
for encoding the A-calculus though). Girard proposed an extension of Gol to the 
additives [6] , but his solution is quite technical (it makes an important use of an 
equivalence relation and entails a complex interpretation of the exponentials), 
which is probably the reason why it had not the same success as the MELL case. 
A first difficulty is to manage the “non linearity” of the additive cut elimination 
step (see below) . A subtler problem comes from the interaction between additives 
and exponentials; in particular we will see that the weakening rule becomes very 
tricky to handle in presence of additives. Note that this is linked to the problem 
(still open at the time of this writing) of finding a good proof-net syntax for full 
LL. 

In this paper, although we don’t claim to give the final word on the Gol for 
LL, we propose an interpretation with an abstract machine, based on additive 
weights [7] . This greatly simplifies Girard’s interpretation since we don’t have to 
work up to isomorphism. We hope that this will prove to be a determining step 
towards the extension to additives of optimal reduction, games, . . . 

S. Abramsky (Ed.): TLCA 2001, LNCS 2044, pp. 283-297, 2001. 

© Springer- Verlag Berlin Heidelberg 2001 
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Additive linearity. A naive look at the usual &/0 cut elimination step of MALL 
shows that this reduction step is not so “linear” : the sub-proof 7T2 is completely 
erased. 

7Tl 7T2 



T^3 



h r, A h r,B 
h r, A & B 



h A,A-L 



7Tl 






& 



h Z\, A-L © 



eut 



\~ r, A h Z\, A-L 
h r, A 



cut 



'r r, A 

This is too drastic to be interpreted by the very local approach of Gol. To 
“linearize” this cut elimination step, Girard introduced the b-rules [6], in the 
calculus LL*’, which allow to keep the proof 7T2 after reduction but marked with 
a b symbol. 



Soundness. By the modification of the additive reduction in LL*’, we get the 
preservation of the Gol by b-rednction. Although an LL^-normal form is not an 
LL-normal form (it still has some b-rules), one can easily extract the latter from 
the former. This extraction procedure erases parts of the proof that had been 
memorized along the b-reduction thus it doesn’t respect the Gol interpretation. 
This is why we will only show a soundness result for LL-proofs of h 1 © 1. 

Proofs of h 1 © 1 give an encoding of booleans since there are exactly two 
normal proofs of this sequent in LL. The restriction to these boolean results is 
very drastic but sufficient, from a computational point of view, to distinguish 
different results (see [5] for a longer discussion). 

Withont clearly decomposing LL cut elimination into these two steps (b- 
rednction and extraction) , the stndy of the modihcations of the Gol interpreta- 
tion dnring LL-rednction would be very complicated and the results very difficult 
to express and to prove. Moreover this precise analysis allows us to introduce a 
parallel version of the automaton which leads to simpler results in both steps 
(Propositions 1 and 2). This parallel approach may probably also be used to 
define Gol for the system LLP [9] for classical logic which contains generalized 
structural rules. 



Additives and weakening. The other main technical (and complicated) point is 
the interaction between additives and exponentials, in particular the interaction 
with weakening (or T). According to its erasing behavior, the usual interpreta- 
tion of a weakened formula is empty. In an additive setting, this idea leads to an 
inconsistency: 



h 1 



1 



h 1©1 

h !©!,© 



■T 



TT^ 

h i©i 

h 1© 1,T 



h !©!,©&© 



■T 

■& 



h 1 



h 1( 



h 1® 1 



eut 



there is no way to know if the ©i proof is “attach” to the left or to the right 
part of the &, if T is empty. Thns the Gol interpretation of this proof doesn’t 
depend on the value of i which is crucial since it determinates the boolean 
corresponding to the normal form. To solve this problem, we have to modify the 
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weakening rule by attaching the weakened formula to a formula in the context 
(which corresponds to encoding _L by 3a{a 0 ct-*-), see [6]) ensuring that an 
explicit information in the Gol interpretation indicates which 0 is in the left 
and in the right. 

Sequent ealeulus vs. proof-nets. The idea of Gol comes from the geometric repre- 
sentation of proofs given by proof- nets [7]. However, the technology of proof-nets 
for additives is not completely satisfactory, in particular because there is no good 
cut elimination procedure. Moreover using proof-nets would require a definition 
of b-proof-nets. For these reasons, we will interpret proofs in sequent calculus and 
prove our results for this interpretation but it is easy to dehne the interpretation 
of proof-nets while not talking about cut elimination. 

The presentation is done in three distinct steps: first the MALL case, then we 
add the constants and eventually we obtain the full case by adding the exponen- 
tials. In this way, it is easier to see the modularity of the construction and to see 
which part of the interpretation corresponds to which subpart of Linear Logic. 
By forgetting the adequate constructions, we can easily obtain Gol for various 
fragments of LL, in particular we recover the usual lAM [4] for MELL. 

1 Sequent Calculus MALL^ 

To give the interpretation of proofs, we have to be very precise about the distinct 
occurrences of formulas. This is why we introduce annotations with indexes in 
the rules of the sequent calculus. 



1.1 Usual MALL Sequent Calculus 

ax V- Fi, A 



h 

bri,H 






\- r, A 

'r Ai,B V-Fi,A,B 



b Ti.H 



'r r, A, A 

br2,H 



eut 



'r F,AkB 



& 



B ^ r,A^ B 

hA,A ^Fi,B 

01 

h r. A® B h r. A® B 



1.2 b-Rules 

We have to introduce a new symbol b, for marking some “partial” sequents in 
proofs, this is not a formula and thus no connective can be applied on it. 

— b bA,4\i br2,b LA2,b 

h r, b h r, A ^ 

The two b-premises of the sbj-ule are used to memorize some sub-proofs 
through the additive reduction step (see Sect. 1.4). 

A proof of a sequent containing the symbol b is a kind of partial proof where 
some sub-proof is missing. 
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Definition 1 (Weight). Given a set of elementary weights, i.e., boolean vari- 
ables, a basic weight is an elementary weight p or a negation of an elementary 
weight p and a weight is a produet (conjunction) of basic weights. 

As a convention, we use 1 for the empty product and 0 for a product where 
p and p appear. We also replace p.p by p andp by p. With this convention we 
say that the weight w depends on p when p or p appears in w. 

We use the notations w{p) (resp. w{p)) if p (resp. p) appears in w and w{p) 
if w doesn’t depend on p. The product of weights is denoted by w.vi . 

We will consider weighted proofs, i.e., with a basic weight associated to each 
&-rule and to each s^'-rule. These two kinds of rules are called sided rules. For 
a &-rule, the sub-proof of the left (resp. right) premise is called its left (resp. 
right) side and for a s^'-rule the sub-proof of h Ti,Ai is the left side and the 
sub-proofs of h / 2 , b and h Z\ 2 , b are the right side. 

A weight describes a choice for the &-rules of one of their two premises. It 
corresponds to the notion of additive slice [7], that is the multiplicative proofs 
obtained by projecting each & on one of its sides. 

Definition 2 (Correct weighting). A weighted proof has a correct weighting 
when two sided rules have a basic weight corresponding to the same elementary 
weight only if they are in the left side and in the right side of a same sided rule 
(i.e., an elementary weight never appears twice in the same additive slice of a 
proof). 

1.3 The tj-Translation 

We are only interested in proofs of LL sequents (without b), b-rules are used as 
an intermediary step for the interpretation. This is why in the sequel we will 
consider only LL^ proofs of LL sequents. 

There exists an easy way to transform such an LL'' proof tt into an LL one 
7T^ called the '^-translation: for LL- rules just change nothing and for each s'’-rule 
erase the right side and connect the left side to the conclusion. 
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For such a cut elimination step between a &-rule and a 0i-rule, we can 
define a canonical weighting for the new proof from the one on the initial proof 
by associating to the s^-rule the basic weight p if i = 1 and p if i = 2 where p is 
the basic weight of the &-rule. 

Due to this modified reduction step, MALL is a sub-system of MALL'' which 
is not stable by reduction. 

Remark 1 . This new additive step is now “really” linear if we consider sub-proofs 
with their additive weight: before reduction we have p.TTi -Fp.7r2 + tts and after 
p.TTi +p.7T2 -l-p-TTg +p.TT^. Notice that the b-premises of the s''-rule are crucial for 
this purpose: one for p.7T2 and the other one for p.Tra. 

We also have to define new commutative steps for the s'’-rule: 



7Tl 7T2 7T3 

b hr2,C2,b hZi2,b 

br3,zi3,c 

hr,A,s 



7T4 

cut 



i 



7Tl '^4 

hri,z\i,Ci 

h I3, Z\3, Z'3 



cut 



7T2 



bF2,C2,b 



h S 2, 



b A, A, b 



cut 



hr,A,E 



7T3 

b A 2 , b 



s 



b 



and the corresponding one for a cut on a formula in A. 

For the other cut elimination steps, the new weighting is easy to define; when 
a sub-proof is duplicated, we preserve the same basic weights in the two copies. 

We will now always consider proofs with correct weightings, noting that cor- 
rectness is preserved by reduction. 

Definition 3 (Quasi-normal form). A proof in lC is said to be in quasi- 
normal form if it cannot be reduced by any step described above. 



Remark 2. A proof in quasi-normal form contains only cuts in which at least 
one of the two occurrences of the cut formula has been introduced by a b axiom 
rule and used only in cwt-rules. 

It is possible to define a general cut elimination procedure as in [6] for LL'', 
but it would be more complicated and useless because we can remark that the 
t]-translation of a proof of an LL sequent in quasi- normal form is a normal proof 

in LL. 



2 The Interaction Abstract Machine 

We now define the Interaction Abstract Machine (lAM) for MALL*’. Forgetting 
the additive informations gives back the multiplicative lAM [4] . 
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2.1 Tokens and Machine 

Definition 4 (Token). For the multiplicative-additive case, a token is a tuple 
(m, a, w) where m and a are stacks (e will denote the empty stack) built on letters 
{g,d} (Girard’s notations corresponding to the french gauche and droitej and 
w is a weight. 

Definition 5 (Abstract machine) . A state of the machine associated to 
the proofs of LL^' is (m,a,w) or F^{m,a,w) or 0 where F is an occurrence 
of a formula appearing in the proof and the arrow indicates if the token (m, a, w) 
is going upwards or downwards. 0 means that the machine stops. 

The transitions of through the rules of tt are described in Figs. 1 and 2. 
F (resp. A) is used for one of the formulas of the multiset F (resp. A), but 
the same before and after the transition. If the result of a transition contains a 
weight w = 0, we consider it as 0. 

Remark 3. In Fig. 2, changing the transition in the case A & g.a,w(pl)) 

(resp. A & i?I(m, d.a,tc(y))) into A &: B^m, g.a,w(pl)) A^m, a,w.p) (resp. 
A & B^ {m,d.a,w{-^) B'' {m,a,w.p)) would make no difference since this p 

(resp. p) information is also added when going down through the &-rule. 



2.2 Properties of the Machine 

Definition 6 (Partial function on tokens). Let n be a proof and A one of 

its conclusions, we define the partial function by: 

{ {B, im' , a', w')) if the computation on Af (m, a, w) ends 

by B^{m' ,a' ,w') whith B conclusion of tt 
t otherwise 

The partial function is undefined in two cases: either if the machine stops 
inside the proof or if the execution doesn’t terminate. 

Lemma 1. Let tt be a proof, and uf and Wq two weights s.t. w ' .wq ^ 0. 

/^(A, (m,a,w)) = {B, {m',a',w')) =5> /^(A, {m,a,w.wo)) = {B, {m' , a' , w' .wo)) 

Theorem 1 (Soundness). If tt is a proof in MALL*’ whose quasi-normal form 
is ttq then for each pair formula-token j: 

- if U{j) = T then U^{j) = | 

- if UoU) = f then f^{j) = / 

— if f TT {A, {m, a, w)) = {B,(m! ,a' ,w')) and fTrg{A,{m,a,w)) = ( then there 
exists Wo s.t. / 7 ro(A, (m,a,w.wo)) = {B, {m' ,a' ,w' .wo)) with w' .wo 0. 

Moreover, if the execution in Mt, is infinite, it is infinite in . 
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ax cut 



A^m, a,w) 


— ^ A^^(m,a,w) 


A^{m, a, w) 




A^^(m, a,w) 


a, w) 


— > A^{m,a,w) 


A^'*^(m, a, w) 




A\m,a,w) 






{m, a, w) 




B/ (m, 0 , w) 






A^ (m, a, w) 




A[{m,a,w) 






B/ (m, 0 , w) 




r^{m,a,w) 




© 


A[{m, a, w) 




A^{m,a,w) 


A © {g.m, a, w) 


^ A^ {m,a,w) 








A © {d.m, a, w) 


B\m,a,w) 








A © B'' {e, a, w) 


^ 0 


A ^ B^ [g.m, a, w) 




A^ {m,a,w) 


A^{m, a, w) 


^ A © {g.m, a, w) 


A ^ B^ {d.m, a, w) 




B\m,a,w) 


B^{m, a, w) 


^ A © B^ (d.m, 0 , w) 


A ^ B^(e, 0 , w) 




0 


{m, a, w) 


B/ (m, a, w) 


A^{m, a, w) 




A ^ B^{g.m,a,w) 


{m,a,w) 


Al{m,a,w) 


B^{m, a, w) 




A ^ B^(d.m,a,w) 


rl{m, a, w) 


r^{m, a,w) 


{m, a, w) 




B/ (m, a, w) 


a, w) 


A^{m,a,w) 


B/ (m, a, w) 




r^(m,a,w) 



Fig. 1. Identity and multiplicative groups. 





& 




©1 


Ak, B^ (m, g.a, w{p)) 


^ A^(m, a, w{p)) 


A © B^ {m, g.a,w) 


^ A^(m, a, w) 


A & B^ (m, g.a, w(y)) 


A^(m, a,w(y)) 


A © B^ {m, d.a, w) 


^ 0 


A & B^ (m, g.a, w{p)) 


^ 0 


A © B^ {m,e,w) 


^ 0 


A & B^ {m, d.a, w(p)) 


— + B^ {m, a, w{p)) 


A^{m, a, w) 


^ A © B^(m, p.a, tu) 


A & B^ (m, d.o, w(y)) 


B^ {m,a,w{]f)) 


{m,a,w) 


^ B/ (m, a, w) 


A & B^ (m, d.a, w{p)) 


0 


r^{m,a,w) 


r^{m, a, w) 


A & B^ {m,e,w) 


^ 0 






A^(m, a, w) 


^ A & B^{m, g.a. 


w.p) 




B^{m, a, w) 


^ A & B^{m, d.a. 


w.p) 




r\m,a,w{p)) 


rl{m,a,w{p)) 






r\m,a,w{p)) 


r^{m,a,w{p)) 


r^m,a,w(p)) 


rl{m,a,w{p)) 


r\m,a,w(f)) 


^ 0 


r^m,a,w(p)) 


rl{m,a,w{p)) 


r^{m, a, w) 


^ r^{m, a, w.p) 


r^m,a,w(/)) 


0 


r^{m,a,w) 


r^{m, a, w.p) 


A^m, a,w(p)) 


^ A\{m,a,w{p)) 






A^m, a,w(p)) 


^ A\{m,a,w{p)) 






A^m, a,w(p()) 


-> 0 






r^{m,a,w) 


^ r^{m, a, w.p) 




b 


rj{m,a,w) 


r^{m, a, w.p) 


{m, a, w) 


^ 0 


A[{m, a, w) 


A^{m, a, w.p) 






A^{m,a,w) 


A^{m, a, w.p) 



Fig. 2. Additive and b groups, (p is the basic weight associated to the &-rule or to the 
s'’-rule and the ©2 is easy to define from © 1 ) 
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The introduction of the weight wq corresponds to the transformation of 7T3 
into p.7T3 +p.7T3 during additive cut elimination (see Remark 1). Before reduction 
we don’t need any information about p to go in 7T3 but after reduction we have 
to know if we go to p.Tr^ or to P-tts- 

Proof. We have to prove that for each step of cut elimination the theorem is 
true and then by an easy induction on the length of a normalization we obtain 
the result. 

We suppose that the cut-rule which we are eliminating is the last rule of the 
proof 7T and we obtain a proof tt'. If it is not the case, we just have to remark 
that adding the same new rules at the end of tt and P is correct with respect to 
the interpretation. 

We only consider the case of the additive cut elimination step (figure in 
Sect. 1.4) which is the most important one, the others are left to the reader. 

We use the notation j = (T, t) or s = (m, a, w) to say that the formula 

we are talking about is in the multiset P (idem for A, .. . ). Moreover f{P, t) = 
{P,t') doesn’t necessarily mean that the formula is the same before and after 
the computation. 

Let p be the basic weight associated to the &-rule. We study the different 
possible cases for j : 

- if j = {r, (m, a, w{p))), we look at the sequence Si, S 2 , ■ • ■ (resp. s), S 2 ) • ■ • ) 
of the states {m,a,w) in the conclusions of the sub-proofs tti, tt 2 and 7T3 
(resp. TTi, 7T2, TTg and 7r|) during the computation of (resp. M,r') on the 
state associated to j. In fact these states will always be in the conclusions 
of 7Ti and 7T3 (resp. tti and ttI) with si in Pi, more precisely: 

• if S2i-i-i = F^m,a,w) with F = Fi or A, S 2 i +2 = A-^ {m',a',w') with 
/,ri(F, {m,a,w)) = {A, {m! ,a' ,w')) or S 2 i-i -2 doesn’t exist; 

• if S 2 i = A-^\m,a,w), S 2 i-i-i = A^ {m' ,a' ,w') with /^ 3 (yl-*-, (m, a,ic)) = 

{m' ,a' ,w')) or S2i+i doesn’t exist. 

The same facts occur for the s' by replacing 7T3 with TTg so we have Vi, Si = s' . 
If Si,S 2 ,... is infinite, s'j^,S 2 ,... too. There are two different reasons for 
Si,S 2 ,... to be finite, if s„ is the last state and is in the conclusions of 
TTk- either the evaluation of the corresponding machine AVn-j, is infinite (or 
undefined at a step) on s„ and the same thing occurs in tt' or on this 
state gives a result f in the context and fn{j) = j' (idem in tt'). 

- if j = (r, {m,a,w{p))), either = {F,t') and f^{j) = {F,t') = U'U) or 

U 2 U) = and f^{j) = t = 

- if j = (r, (m,a,u)(y))), U{j) = t and f^fj) = 

- if J = {A, (m, a, w{p))), similar to the (T, (m, a, 'w{p))) case; 

- if j = {A, {m,a,w{p))), either = {A,t') and U{j) = {A,t') = U'U) 

or UsU) = ) and U(j) = t = 

- if j = {A,{m,a,w{p))), f^fj) = t but f^{j) may be defined with f^{j) = 
{F, (m', a', w')) in this situation we have by Lemma 1 (noting that v/ .p A 0 
for a correct weighting) and by applying the case j = {A,{m,a,w{p))), 

{m,a,w.p)) = {F,{m' ,a' ,w' .p)) = fTr{A,{m,a,w.p)). This case is 
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very important because it is characteristic of the fact that /„• and /,r' may 
differ. □ 



Corollary 1. If w is a weight s.t. for all elementary weight p of tt, p G w or 
pGw then f^{F, {m,a,w)) = {m,a,w)). 

Theorem 2 (Termination). Let tv be a proof, A a conclusion of tt and t a 
token, the execution of the machine on (t) terminates. 



Proof. Let tto be a quasi-normal form of tt. By Theorem 1, we have to prove that 
the execution of the machine associated to ttq on A'' (t) terminates. 

In TTo, if the execution never uses the transition of a cut formula, either it 
stops in a transition or it goes up to an axiom and then down to a conclusion so 
it terminates. Moreover, by the definition of a quasi-normal form, the cwt-rules 
appearing in ttq are of the form: 



h T-L,b 



b 

cut 



p r, A 

h r,b 



cut 



and if the execution uses the transition on A in such a cwt-rule, it stops in the 
b-rule. Thus the evaluation is always finite in a quasi-normal form. □ 



2.3 The Parallel lAM 

In order to complete some transitions on which the lAM stops, we can introduce 
a parallel version of the machine for which states are formal sums of states of the 
lAM with 0 for the empty sum. To define the parallel machine Mf associated 
to a proof TT, we modify some particular transitions and we replace 0 by 0: 

& 

P^ (m, a, w{pf)) — > r} (m, a, w.p) -I- (m, a, w.p) 



P^ (m, a, w{pt}) P} (m, a, w.p) -I- (m, a, w.p) 

Z\l(m, a, w{]f)) A|(m, a, w.p) + Al(m, a, w.p) 

We denote by fP the partial function associated to this machine and defined 
like (Definition 6). To simplify the results (formal sums of pairs formula- 
token), we use the following rewriting rule: 

{A,{m,a,w.p)) + {A,{m,a,w.p)) {A,{m,a,w)) 

Proposition 1 (Parallel soundness) . If tt is a proof whose quasi-normal form 
is TTO then fP = fl^ . 

When a weight information is missing, the parallel machine tries all the possi- 
bilities thus it doesn’t need any starting information. This is why the requirement 
of an additional weight wq in Theorem 1 disappears. 
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3 Adding the Constants 

3.1 Rules and Machine 



——1 ^ Ti,Ai l~A,b 

^ ^ h r, d, _L h r, T 

As explained in the introduction, we have to modify the _L-rule by distin- 
guishing a particular formula in the context. 

We can extend the t]-translation without any loss of its properties by replacing 
each T-rule by the usual one |_ “p and by erasing everything above it. 

For the multiplicative constants, the cut elimination is as usual. For the 
additive constants, we obtain: 



hF2,Ai,b 

bA,A,Ti ^ 

tttat 



FF2,A,b bA2,A^ 

hr, AT 



cut 



We extend the notion of token by using the letters {g, d, fl, U-} for the multi- 
plicative stack and we add new transitions for the added rules (Fig. 3 ). 



1 _L 

V{m,a,w) ~^A{m,a,w) A^{m,a,w) ^ 

A{{m,a,w) ^ 

^ A[{m,a,w) 

T ^ A^{m,a,w) 

{m,a,w) ^ T^{m,a,w) l.\m,a,w) ^0 m 7^ fl-.m', 

r\m,a,w) rl (m, a,w) (m, a,w) ^ F/ (m, o, w) 

A (m, a,w) (m, a, w) A (m, a,w) ^ F^ (m, o, w) 



Fig. 3. Constant group. 

Theorem l.a (Soundness continued). The Theorem 1 is still true in MALL*’ 
with constants. 



3.2 Computation of Booleans 

We want to compute results for the usual cut elimination procedure of LL. As 
already explained, we have to restrict ourselves to the particular case of proofs 
of h 1 0 1 that give a notion of booleans. 

Lemma 2. Ifn is a proof of\~l, there existsw s.t. /,r(l, {e,e,w)) = (1, (e,e,w)). 
Lemma 3. If n is a proof o/h 1 0 1, b then, for any j, /7r(j) = T- 
Theorem 3.^// n is a proof o/h 1 0 1 whose quasi-normal form is ttq then 

TTn = — — 0,- and 

h 101 
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— either there exists w s.t. g,w)) = g,w)) and i = I 

— or there exists w s.t. /,r(l © 1, (e, d, w)) = (1 © 1, {e, d, w)) and i = 2. 

Proof. We suppose that i = 1 and we make an induction on TTg. 

— If the last rule is ©^ it must be a ©i by normalization; we apply the Lemma 2 
to the premise which gives us a weight w s.t. /^(l © l,{e,g,w)) = (1 © 
1, (e, g, w)). Moreover for any weight w' , /^(l © 1, {e, d, w')) = t- 

— If the last rule is s'', let p be its basic weight. We can apply the induction 

hypothesis to the sub-proof ttq of h I© 1 and we obtain a weight w s.t. (I© 
1, {£,9,w)) = (!©!, {e,g,w)) so © I, {e,g,w.p)) = (!©!, (e,g,w.p)). 
Moreover for any weight w' , (1 © I, (e, d, w')) = t thus, by Lemma 3, we 

also have fnoi^ © d, w')) = f. 

Finally we conclude by Theorem 1. □ 

We cannot assume that the weight w is empty for the evaluation of /,r be- 
cause, for some proofs, fn{A, {m, a, 1)) = t for any A, m and a (see the proof of 
h I © 1 in the introduction, for example) . 

The parallel machine gives a solution for this problem since it doesn’t re- 
quire any initial weight information. The weight may be built dynamically thus 
starting with I is sufficient. 

Proposition 2. If n is a proof of 1 © 1 whose quasi-normal form is ttq 

then TTg = — — 0 j and either /^(l © 1 ,(£,(/, 1)) ^ 0 and i = 1 or 

h I©I 

fP{l © I, (e, d, I)) 0 and i = 2. 

4 Exponentials 

We have now to generalize some of our definitions of Sect. 1 to deal with the 
following exponential rules. The interpretation is the one defined by Danos and 
Regnier [4], accommodated with the additives and extended to the ?w-rule. 

4.1 Sequent Calculus 

hr, 4 hA,4 
h ?r, !4 ■ h r, ?4 • “ 

^ A,j?i hA,?4i,?42 f- A,??hi 

hr,R,?4 \- r,?A \- r,iA " 

The formula B in the context of the ? ic-rule is used for the same purpose as 
in the T-rule. We use a functorial promotion and a digging rule (??-rule) instead 
of the usual promotion because it allows us to decompose precisely the Gol. 

Definition 7 (Weight, Definition 1 continued). A copy address c is a word 
built on the letters {g,d}. 

A basic weight is now a pair of an elementary weight p (or its negation p ) 
and a copy address c, and is denoted by pc (pc)- 
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In order to deal with the erasing of sub-proofs by the weakening cut elimi- 
nation step, we will only consider proofs with no ? in conclusions. To prove the 
preservation of the interpretation by reduction, we can restrict cut elimination 
to the particular strategy reducing only exponential cuts with no context in the 
!-rule. 

In the ? c cut elimination step, we obtain two copies 'n\ and of the proof 
7Ti of h \A. In t:\ (resp. tt^), we replace all the basic weights Pc by Pg,c (resp. 
Pd.c)- 



4.2 Extending the Machine 
Definition 8 (Exponential informations). 

— Exponential signatures cr and exponential stacks s are defined by: 

a ::= □ | g.a \ d.a \ \ | 

s ::= s I a.s 

We will use the notation [s] to talk about both and 

— The copy address a of an exponential signature a is defined by: □ = e, 

[s] = e, gjj — g.a, d.a — d.a and ’~a'~'.a — a'. a. 

— The copy address of an exponential stack is: e = e and oTs = a.s. 

— We define the predicate weakQ on signatures by: 

• weak(D) = false and weak{[s]) = true 

• weak(g.a) = weak(a) and weak(d.a) — weak(a) 

• weak('~a'~'.a) — weak(a') 

The weak() predicate tells if the leaf of the exponential branch described by 
cr is a ?tu-rule. 

Definition 9 (Token, Definition f continued). For the full case, a token is 
a tuple (m, a, w, b, s) where b and s are exponential stacks. Moreover the language 
of m is extended to {g, d, |} and the language of a is extended to {g,d,\} 
(f\, (1 and I are only used for T and ?w). 

Definition 10 (Type of a token). The type of a token {m,a,w,b, s) in a 
formula of a proof is the pair (|6| — d, |s| — n) where |.| is the length of a stack, d 
is the depth of the formula in the proof (i.e., the number of !-rules below it) and 
n is the number of exponential connectives in the scope of which the subformula 
described by m and a is (without looking at the right of any |, (i or JJ- symbol). 

In the transitions of the machine defined in Fig. 2, we replace everywhere p by 
pj ^ since we have to take into account the stack b and to look at the dependency 
with respect to pg for example: 

AkB^m,g.a,w{p^J) A^m,a,w{p^J) 

For the constants (Sect. 3.1), we have to refine the T-transitions (Fig. 4). 

The new transitions of the token machine for exponential rules are described 
in Fig. 5. Some transitions are implicit to simplify the description: if no tran- 
sition appears for a state F‘^{m,a,w,b,s), it just corresponds to the transition 
F^{m, a, w, b, s) 0. 
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_L 

{m,a,w,b,s) ^ s) 

A{{m,a,w,b,s) ^ |.a, w, 6, s) 

_L^(f|'.m, |.a, w, b, s) Al(m, a, w, b, s) 

|.o, w, b, s) A^(m, a, w, b, s) 

±^m,a,w,b,s) — > 0 m 7^ fl-.m', JJ-.m' or o 7^ |.a' 

r\m,a,w,b,s) —^rl{m,a,w,b,s) 
r^{m,a,w,b,s) ^ {m, a,w,b, s) 

Fig. 4. _L-transitions (exponential case). 



Lemma 4. If the type of the starting token is {p, q) with q > 0 , at any step of 
the execution the type of the token is {p, (f) with q' > 0 . 

Lemma 5. fT^{F,{m,a,w,b,s)) = {F' , {m' ,a' ,w' ,b, s')), and if b = bi then 
fT,{F, {m,a,w,bi,s)) = {F' , {m' ,a' ,w' ,bi,s')). 

Theorem l.b (Soundness continued). The Theorem 1 is still true in LL*” 
for a proof without any ? in its conclusions and a token of type (p, q) with p >0 
and q> 0 . 

Proof. We keep the same notations as in the proof of Theorem 1. We will look 
for each exponential cut at the sequence Si, S2, • ■ • (resp. • ■ • ) of the states 

F'' (m, a, w, b, s) in the conclusions of the sub-proofs tti and 7T2 during the com- 
putation of Mjr (resp. Mj^r) on the state associated to j. With the notations given 
below, we can remark that s^i (resp. S2i-i-i) will always be in the conclusions of 
7Ti (resp. 712) and also for and 

We only prove the digging case, the others are left to the reader. 



Digging cut. In this case, we cannot prove VI, Si = s' but only the weaker result 
Vi, Si = F'' {m,a,w,b,s) <J==4> s' = F^ {m,a,w,b' ,s) with b = b' . Lemma 5 

proves that it doesn’t really matter. 



7Tl 

h !A ■ 



7T2 



h Fi,V.A-^ 
bT2,?T^ 



7Tl 

h A 
h !A 
h !!A 



h ri,7iA-^ 

FT 



cut 



If S2i+i exists then: 

— either S2i+2 doesn’t exist because /,r2 is not defined on S2i+i or because 

fTT2{S2i + l) € A, 

— or /,r2(s2i+i) = { 77 A-^ ,{m,a,w,b,s)) with s = a. o' .s' (Lemma 4) and 
S2i+2 = A^m,a,w, {'~a'^.cr).b, s'). 



Remark that the stack b of S2i is always of the shape .a).b' . If S2i exists 

then: 
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! 

\A^ {m,a,w,b,a.s) {m, a,w, a.b, s) 

\A^ {m,a,w,b,a.s) \A^{m,a,w,b,a.s) 

A^{m,a,w,a.b, s) \A^{m,a,w,b,a.s) 

7r^ {m,a,w,b,a.s) {m, a, w, a.b, s) 

r^{m,a,w,a.b, s) ?r^{m,a,w,b,a.s) 

Id 

o, ui, 6, D-s) — > A^ {m,a,w,b, s) 
lA^{m,a,w,b,s) — > 0 s / D-s' 

A^{m,a,w,b,s) ^ ?A^{m,a,w,b,n.s) 

(m, a,w,b,s) — ^ -T/ (m, a,w,b,s) 

-T/ (m, a, w, b, s) (m, a, w, b, s) 

?? 

7A^ {m,a,w,b, {'~a'~'.a).s) — ^ ??A^ {m,a,w,b,a.a' .s) 

?A^m,a,w,b,s) ^0 s ^ ('~a~'.a').s' 

?? A^ (m, a, w, b, a.a' .s) ?A^(m,a,w,b, Ca'~'.a).s) 

(m, a,w,b,s) -T/ (m, a,w,b, s) 

-T/ (m, a,w,b,s) ^ F^ (m, a,w,b, s) 

?c 

7A^{m,a,w,b, {g.a).s) 7Ai^{m,a,w,b,a.s) 

7A^m,a,w,b, (d.cr).s) — ^ 7A2^ {m,a,w,b,a.s) 

7A^{m,a,w,b,s) —^0 s ^ {g.a).s' , {d.a).s' 

7Ai^{m,a,w,b,a.s) 7A^{m,a,w,b, {g.a).s) 

7A2^{m, a, w, b, a.s) 7A^{m, a, w, b, (d.a).s) 

F^ (m, a,w,b,s) F^ (m, a,w,b, s) 

-T/ (m, a,w,b,s) F^ (m, a,w,b, s) 

7w 

B\m,a,w,b,s) ^ |.a, w, 6, [s]^.[e]^*^ 

B[{m,a,w,b,s) ^ |.a, w, 6, 

?j4^(|.m, |.a, w, 6, [s]’'^.s') ^ Bl{m,a,w,b,s) 

?2l^d.m, |.a, tt), 6, [sj'^.s') — ^ B^{m,a,w,b,s) 

7A^{m,a,w,b,s) — > 0 s ^ [s'].s" or m ^ \.m! or a ^ \.a' 

F^ {m,a,w,b,s) ^ Fl{m,a,w,b,s) 

F^{m,a,w,b,s) ^ F^{m,a,w,b,s) 

Fig. 5. Exponential group, (in the ?uetransitions, k is the number of ? and ! in front 
of 7 A and is used to preserve a correct type of the token) 



—iweak{(j) 

weak(a) 
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— either S2i+i doesn’t exist because 7,^ is not defined on S2i, 

— or /,ri(s2i) = {A,{m,a,w,b,s)) and, by Lemma 5 , b = {’~cr'~'.a).b' thus 

S2i+i = A-^\m, a, w, b' , a.a' .s). 

We also have s^t+i = S2i+i and if S2i = A^ {m,a,w, {’~cr'~'.a).b,s) then s^i = 
A^{m, a , w, a' .a.b, s) by Lemma 5 with {’~a'~'.a).b = a' .a.b. □ 

To conclude, we have to note that the Theorem 3, about computation for 
booleans, is still true in the full case! 

Acknowledgements. Thanks to Laurent Regnier for his support and to the ref- 
erees for their comments about presentation. 
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Abstract. We extend the notion of pre-logical relation between models 
of simply typed lambda-calcnlns, recently introduced by F. Honsell and 
D. Sannella, to models of second-order lambda calcnlns. With pre-logical 
relations, we obtain characterizations of the lambda-definable elements 
of and the observational equivalence between second-order models. These 
are are simpler than those using logical relations on extended models. 
We also characterize representation independence for abstract data types 
and abstract data type constructors by the existence of a pre-logical 
relation between the representations, thereby varying and generalizing 
results of J.C. Mitchell to languages with higher-order constants. 



1 Introduction 

“Logical” relations between terms or elements of models of the simply typed 
A-calculus allow one to prove, by induction on the structure of types, syntactical 
properties like normalization and Church-Rosser theorems ([Tai67], [Sta85]) and 
semantical properties like A-definability of elements ([PI08O], [Sta85]) or obser- 
vational equivalence of models ([Mit91]). 

In first-order, i.e. simply typed, A-calculus, a logical relation {Rr \ r G 
Type} = TZis built by induction on types using 

(/, g) G R(p^a) Wa,b: p {{a, b) e Rp ^ {f ■ a, g ■ b) G R„), (1) 

starting from relations Rr on base types r. In second-order A-calculus, the do- 
main of (semantic) types can no longer be constructed inductively; yet, cen- 
tral results of the first-order case can be transferred, such as the characteriza- 
tion of A-definable elements or that of observational equivalence (cf. J. Mitchell 
[MM85],[Mit86]). 

Even in the first-order case, logical relations have some disturbing properties, 
viz. they are not closed under relation composition and do not admit a character- 
ization of observational equivalence for languages with higher-order constants. 
To overcome these difficulties, several authors (cf. [HS99], [PPSTOO], [PROO]) 
recently have proposed to use a more general class of relations, called pre- or lax 
logical relations. They arise by restricting direction <f= in (1) to functions that are 
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A-definable (using related parameters). F. Honsell and D. Sannella [HS99] gave 
several characterizations and applications of pre-logical relations that demon- 
strate the stability and usefulness of the notion. 

We here follow this route and generalize pre-logical relations to the second- 
order A-calculus by similarly weakening the conditions for Ryar- As in the first- 
order case, the A-definable elements of a model can then be characterized as 
the intersection of all pre-logical predicates on the model. It follows that ob- 
servational equivalence of second-order models can be expressed as a suitable 
pre-logical relation between models. 

But our main interst lies on the equivalence of different implementations or 
representations of an abstract datatype a and the operations c : a{a) coming 
with it. Two representations (Ti,ti : a\rilo}^ of (a,c : cr) in a model A are 
equivalent if appropriately defined expansions A{Ti,ti) of A are observationally 
equivalent with respect to the language not containing a and c. 

For languages without higher-order constants, J. C. Mitchell[Mit86,Mit91] 
has characterized this equivalence by the existence of a suitable logical rela- 
tion between expansions of the models. However, programming languages like 
Standard ML [MTHM97] not only have abstract data types in the presence 
of higher-order constants, but they also allow to abstract from data type con- 
structors (and, in some versions, higher-order functors). We handle abstract 
type constructors as indeterminates on the kind level and their implementations 
as definable expansions of a second-order model. Representation independence 
for abstract type constructors can then be characterized as the existence of a 
second-order pre-logical relation between the representations. This also holds for 
languages with higher-order constants. 

In section 2 we consider declarations of abstract data types as expansions of 
first-order models by definable types and elements, and compare a characteriza- 
tion of equivalent representations based on pre-logical relations with a criterion 
by Mitchell based on logical relations. Section 3 gives syntax and semantics for 
second-order A-calculus. In section 4 we define second-order pre-logical relations, 
present some basic properties in 4.1, and use them in 4.2 to characterize defin- 
able elements and observational equivalence for second order models. Section 4.3 
treats abstract type constructors and polymorphic constants and characterizes 
the equivalence of two representations by definable type constructors. 

2 Pre-logical Relations for Simply Typed A-Calculus 

Let T be the simple types a,r ::= f3 \ {a ^ t) over base types f3. We write 
r \> t : T for a term typed in the context F : Var — >■ T using the standard typing 
rules. Xq stands for the set of typed terms over a set C of typed constants, c : a. 

Definition 2.1. An (extensional) model A = {A,<P^ ,C^) of the simply 

typed X-calculus Xft consists of a family A = {Aafa^r of sets, an interpretation 
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C^{c) G Aa- of the constants c: cr G C, and families and 

of mappings 

[Aa At] and ^r] ^(ct->t) > 

where [Aa — >■ At] C {ft, | ft, : Aa -G At} contains all definable functions, such 
that 'P'^T ° (and 'Pf^T ° "^7^ = IdA^a^r)) for all a,r GT. 

An environment rj over A satisfies the context F, in symbols: rj : F — >■ A, if 
p{x) G Aa for all a; : cr in F. Terms are interpreted in A unter ij : F ^ A via 

|T > (r • s)]t 7 := <Pa,r{lF > r : (ct -)> T)]? 7 )(|r t> s : ajp), 

|T > Xxt : (cr -A r)]77 := Wa^T{^a G Aa-\F,x : a \> t : r]? 7 [a/a;]). 

We write |t ]?7 rather than |T > t : r]? 7 , if T and r are clear from the context. 

Definition 2.2. A predicate 7^ C A on A zs a family TZ = {Ra | cr G T} with 
Ra Q Aa for each a G T. An environment rj : F ^ A over A respects TZ, in 
symbols: p : F ^ TZ, if r]{x) G Ra for each x : a G F. 

A predicate TZ C A is called pre-logical, if {F t> t : rjr; G Rt for each term 
F \> t : T and environment rj : F ^ TZ. A pre-logical relation between A and B 
is a pre-logical predicate on Ay. B. 

The definition is easily adapted to extensions of T by cartesian products {a x r) 
and disjoint unions (ct-|-t), if the extension of terms is done by adding constants. 

The property used here as a definition is called the “Basic Lemma” for pre- 
logical relations by Honsell and Sannella. The Basic Lemma for logical relations 
says that every logical relation is a pre-logical relation. 

Let Def^ = {Def}^ | t G T} be the predicate of definable elements of A, 
where 

Def}(^ ■= I > t : T, t G A^}. 

Normally, Def^ is not a logical predicate since [Def^ -A DefT] 2 Def^^T- But: 

Theorem 2.3 ([HS99], Proposition 5.7, Example 3.10) Let A be a model of Xff . 
(i) For each predicate CCA, there is a least pre-logical predicate TZ C A with 
C CTZ. (ii) Def^ is the least pre-logical predicate on A. 

We use the following version of observational equivalence (it differs slightly 
from indistinguishability by closed equations of observable types as used in 
[HS99]): 

Definition 2.4. Let T+ be the simple types generated from a superset of the 
base types ofT, and C~^ an extension of C by new constants with types in T+. 
Let A'^jB^ be two models of Xff+ with Af = Bf for all t G T. and B'^ 
are observationally equivalent with respect to F, in symbols: A^ =t B~^ , if 
It]"^ = |t]® for all t> t : T o/ where r G T. 
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Theorem 2.5 (cf. [HS99], Theorem 8.4) .4+ =t iff there is a pre-logieal 
relation Tiff C x such that fl {Def:^ x Def^ ) C Id^ for all t £ T. 

For ^ use 2.3 and TZ^ = Def~^ . With logical relations we have only if 
C does not contain higher-order constants, (cf. Exercise 8.5.6 in [Mit96].) 



2.1 Abstract Data Types and Representation Independence 

The declaration of an abstract data type, 



(abstype {a,x : a) with x : ct [> ei = 62 : p is (r, t : cr[r/a]) in s), ( 2 ) 

introduces a “new” type a and a “new” object x : a{a) with “defining” property 
Cl = 62 : p{a)^ which are interpreted in scope s by the type r and the term t, 
where a does not occur in the type of s. Roughly, evaluation of (2) in a model A 
of Xff is done by first expanding A by interpreting a by Ar and x by the value 
of t : cr[r/a] and then evaluating s in the expanded model, A(r, t) (see below). 

The data type (a, x : ct) is abstract in s if the value of s is independent from 
the representation (t, t) used; i.e. if for any two representations {rifft : a[Ti/a\), 
i = Iff, that “satisfy” the equation x : ct c> ei = 62 : p, we have 



To “satisfy” the equation e\ = 62 in an expansion A{Ti,ti), the equality on 
the new type a normally is not true equality on At-., but a suitable partial 
equivalence relation on A,-. : 



[(abstype (a,xo : aff) with xq : (Jq > ei = 62 : p is (ro,t : cro[T-o/a]) in 



f {let A+ 



error, 



= A(to, in |s]'^ p), if there is a pre-logical 

partial equivalence relation E C x A’^ such that 

([eilp”^ , [e2]p'^ ) G Ep and Er = IdA^ for t G T, 
else. 



Note that in the first case, there is a least such £, and A is canonically embedded 
in A^jE. Since E is pre-logical, the value of xq in A"*" is self-related by E„^, and 
the additional operations provided by t actually belong to A'^fE, which satisfies 
ei = 62 . But since the type of s does not involve a, the value of s in A^ and 
A'^/E is the same, so there is no need to actually construct A^/E. 

Definition 2.6. Let T+ he the types constructed from the base types of T and 
a new base type a. Let ctq G T+ and C~^ = C,xq : ctq. For tq £ T, a £ 
letA{To,a) = A+ := (A+, iF+, ((7+)-^^) be given by: 



■ ffa[To/a] 1 

= c:tGC, 

(a, c:T = Xo--cro 



■— ^{^[To/a\,T[To/ap 
■ ^cr[To/a],T[To/a] ■ 



We call the model A^ of the expansion of A defined by (ro,a). 
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From now on we focus on the equivalence of representations and ignore the re- 
striction to implementations satisfying a specification. Two expansions 
and A{T 2 ,t 2 ) of A are equivalent representations of an abstype {a,x : a) if (3) 
holds for all terms s whose type does not contain a, i.e. if A{Ti,ti) =t A{t 2 , ^ 2 )- 

Remark 2. 7. For a careful categorical treatment of abstract data types with 
equational specifications, see [PROO]. The simpler form of abstype declarations 
(abstype (a, x : ct) is (r, t) in s) does occur in programming languages like SML 
and has been investigated in [MP85,Mit91]. It can be viewed as a case of SML’s 
restriction Str :> Sig of the structure {a = t,x = t) to the signature (o;,x : a). 

Example 2.8 Consider a type of multisets with some higher-order operations. 
(Assume that ’a = ’ ’h is a fixed type ofT. Actually, bag : T ^ T is a type 
constructor, since ’a and ’ ’b are type variables. See section 4-2 for this.) 
signature BAG = sig 
type ’ a bag 
val empty : ’ a bag 
val member : ’ ’ a -> ’ ’ a bag -> int 
val insert : ’’a * int -> ’’a bag -> ’’a bag 
val map : (’a -> ’ ’b) -> ’a bag -> ’ ’b bag 
val union : (’a -> ’ ’b bag) -> ’a bag -> ’ ’b bag 
end 

An A-bag B represents the multiset {{a,n) \ member aB = n>0, a€ A}. 
Each implementation 0 / member gives a partial equivalence relation £ such that 
B\ ^^bag B 2 iff B I and B 2 represent the same multiset. One implementation Bagl 
of bags is by lists of elements paired with their multiplicity: 
structure Bagl : > BAG = struct 

type ’a bag = (’a * int) list 
fun member a [] = 0 

I member a ((b,n)::B) = if a=b then n else (member a B) 



end 

Another implementation Bag2 is by lists of elements: 
structure Bag2 : > BAG = struct 
type ’a bag = ’a list 
fun member a [] = 0 

I member a (b::B) = if a=b then l+(member a B) else (member a B) 



end 

The implementations Bagl and Bag2 are observationally equivalent if they 
assign the same value to the closed terms (member s t) : int. 

Observational equivalence can be characterized by pre-logical relations. To 
cover nested abstype-declarations, we characterize the observational equivalence 
of two expansions of models that are related by a pre-logical relation TZ instead 
of Id. 
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Theorem 2.9 Let TZ A. X B be a pre-logieal relation. Let and B~^ he 
definable expansions of A and B to models o/A^+. The following are equivalent: 

(i) for each closed X^+-term > t : t with t G T we have Rr . 

(ii) there is a pre-logical relation TiA with A~^ B^ and Rf = Rt for all t € T. 

Proof. For simplicity of notation we consider the unary case. i.e. pre-logical 
predicates TZQ A and TZ^ C A^ . (ii) (i) is obvious, (i) (ii): for t G T+ let 

Defr = I t G A^+, h t : r} and Cr := | ^ 

By assumption we have Defi^ C R^. for t GT. Each logical predicate on .4+ 
as in (ii) satisfies the following conditions in positively occurring unknowns Xt'. 

Xr2CrU[J{X^p^,yXp\pGT+}, T G T+ . (4) 

Let TZ^ = {Rf I r G T+} C yl+ be the least solution of (4). It is a pre-logical 
predicate: ii tj : P -G and P > t : t is a, A^+-term, with P = {x : a} say, then 

|F O t : rl ?7 = I 0 Ax : cr.t : cr ^ t] • 7]{x) G Def+^^ ■ i?+ C R+^^ ■ R+ C R+ . 

It is not hard to see that for each r G T+ 

Rt = '^Pi I n G iZV,pi,...p„ G T}. 

For p, r G T we have Defp^.^ C Rp^^ by (i), which gives Defp_^.^ ■ Rp C Rr and 
so Rf C Rr. Therefore we also have Rf = Rr for r G T. □ 

In the corresponding theorem for logical relations (cf. [Mit91], Cor.l), direc- 
tion (i) (ii) is restricted to languages where C has no higher-order constants. 
The logical relation TZ'^ in (ii) can then be inductively generated from the pred- 
icates {Rf I T G T+ a base type} of the least solution of (4). This works even 
when all constants c : r G are first-order in a, like map in 2.8. The observa- 
tional equivalence of two representations can be shown by (ii) (i). When used 
with logical relations, premise (ii) can be reformulated to a ‘local’ criterion for 
equivalence of representations, which fails for pre-logical relations: 

Lemma 2.10. (cf. [Mit86], Lemma 4) Let A and B he logically related by TZ, 
and let A^ and B^ be definable expansions of A and B to models of X(i+. Then 

(ii) and (i) are equivalent: 

(i) There is a relation R'fi C x Bfi, such that Rf for c : r G C+ \C, 
where Rf := Rr for t G T and Ry^y = — >■ R~fi] for {p ^ a) ^ T. 

(ii) There is a logical relation TZ'^ C x B~^ with Rf = Rr for all t G T. 
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Unfortunately, if 7^ C ^ x is pre-logical, then condition (i) does not imply 
the existence of a pre-logical relation TZ^ C x that agrees with TZ on types 
of T, because the necessary condition (cf. Theorem 2.9, (i)) C 

for {a ^ t) GT may fail: Take / G [R„ — >■ Rt] \ R(a^r) and let / = C 2 o ci with 
constants Ci : u — >■ p, C 2 : p — >■ r for some p ^T. 

Hence, although pre-logical relations give a complete characterization of the 
equivalence of representations when higher-order constants are present, they 
seem harder to use in establishing the equivalence of representations: instead 
of checking the existence of with property (i) of 2.10, one has to check the 
global property of A^+ -observational equivalence with respect to all types of T. 



3 Second Order Lambda Calculus, 

We now look at definability and observational equivalence for the second order 
A-calculus ■ The characterizations by pre-logical relations are similar to the 
first-order case, but the construction of pre-logical relations is more elaborate 
since these can no longer be defined by induction on type expressions. 



3.1 Syntax and Semantics of 

In second order lambda calculus, in addition to terms denoting objects one has 
constructors denoting types or functions on types. 

Definition 3.1. The kinds k of are given by k := T \ {k ^ k). The 
classification C of constants is split in two components, C = {C Kind, C Type)- 
By Cxind, 0 , set of assumptions of the form c : k, each constructor constant c 
is assigned a unique kind k. In particular, Cxind contains the type constructors 
^ : T ^ {T ^ T) and\/ : {T=>T)^T. 

A constructor A\> p, \ n oi kind k is a sequent derivable with the following 
rules of Xq^.^^ , where A is a context of kind assumptions for constructor vari- 
ables: 

A t> u : K ,, 



( Const) A > c \ K, for c: k G Cxind 



(Tor) A, V : K t> V : K 



K E) 



A > p : {ki K 2 ), A\> V \ Ki 

A t> {p ■ n) : K 2 



I) 



A,v : Ki p : K 2 
A t> Xv.p : {ki K 2 ) 



For Xq^.^^ we assume a reduction relation subsuming a, (3, rj-reduction and 
satisfying the subject reduction, i.e. if A > p : k and p^ v, then A t> v : k. 



(=1) 



A > p : K p'^ V 
A t> p = u : K 



(=2) 



A > p : K p'^ V 
A \> V = p : K 
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A type A 0 ^ : T is constructor of kind T. We use r, a for types and write 
(cr — >■ r) and 'ivT etc. By Crype, « set of assumptions of the form c : pL, each 
individual constant c is assigned a unique closed constructor /i of kind T. 

A typed term A; F > t : t is a sequent derivable with the following rules, 
where A is a context of kind assumptions for constructor variables and F is a 
context of type assumptions for individual variables: 



> T : T 

[const) ^ — Pd: ’ for c: T e Crype 

A] 1 > c : T 



[var) 



A 0 T : T 

A] F,x : T X t' 



X ^ dom[F) 



H I) 
H E) 



A t> a : T A ; F, x : a t> t : t 
A; F 0 [Xx : a.t) : (a t) 

A > T : T A ; F > t : (a —>■ t) A; F > s : a 
A; F > (t ■ s) : T 



/wn ^ : (T’ ^ T’) A,a :T; F t> t : [fj,- a) . 

(V/) ’ ,f a, snot, nr 



(VB) 
( Typ =) 



A > n : [T ^ T) A \> T : T A; F t> t : V/i 
A; F > [t ■ t) : [p, ■ t) 

A; F \> t : T A > t = a : T 
A: F > t : a 



By induction on the derivation, using the subject reduction property of 
in the case of (Typ =), we obtain: 



Proposition 3.2. If A; F > t : a is a term, then A t> a : T is a type. 

Definition 3.3. A model frame A4 = [lA,T>,d>,'F) for X^’'^ consists of 

F an extensional model U = (Cf, C'xind> H^’) km interprete 

the constructors, 

2. a family of individual domains for the types, V = [{DA)A&UTtE'^yp^), with 

individuals C^yp^[c) G for c : t G Crype, 

3. families F = [F^,<P^), F = [F^ ,F^) with = (F)f g)A,B€UT,^'^ = 

(^p/et/(T^T))^^ = {'EZb)a,b&Ut,E'^ = of mappings 



^^B ■ E(a^b) — i - [Da -a Db] : [Da -a Db] — >■ D^^a^b) 

F'^ : D\/f — > [nA G Ur-Df.A] F^ : [II A G Ur-Df.A] — > Dyf, 




306 



H. Leifi 



for subsets [Da — >■ Db] C {ft, | ft, : Da — >■ Db} and [IIA G Ur-Df.A] Q 
nA G Ur-Df.A, such that for all A, B G Ur and f G U(t^t) 

° '^Xb = Id[BA^DA] ° = ^d[BAeUT-Dj.A] ■ 

A (environment) model of consist of a model frame Ai = {U ,D,<P,W) 
and an evaluation l-]^- of terms, such that every typed term gets a value using 

|Z\ ; r i> a; : r ]?7 = rj{x), {A ; D t> c : Tjr) = C^yp^c), for c : t G Crype 

{A; r >{t-s):TjT] = <^Xa> aUfA > rt>t:{a^ t)1t?)(|Z\; D > s : ajp) 

{A; r t> Xx : a.t : {a ^ r )]?7 = 

'^{A > ^ ; r>t: rjiia/x]) 

lA; r t> (t-r):(/r-T)]77 = !ftjj^ > ^:(T^T)lr,d^ i D > t : V/x]t 7)(|Z\ > r : Tjp) 
lA; r t>Aat:VAilr? = >ft^^ UTa-t)iX^^ ^ Ur-IA,a:T ; D >t : ■ a)l'q[A/ a]) 

In particular, |Z\ ; 7^ c> t : rjr; G D[a > tiT]?;- If it is clear which context and type 
is meant, we write \t\ig instead of |Z\ ; D t : T\rj. We write (P for C^yp^{c). 

We refer to Bruce e.a. [BMM90] for an overview of various models of Xff''^ ■ 

4 Pre-logical Relations for Second Order A-Calcnlns 

Definition 4.1. Let A = {U,'D,<1>,\L, he an environment model of ■ 

A predicate TZ = [TZ Kind, TZ Type) on A consists of a predicate TZKind = {Rk \ 
K G Kind} on U where Q for each k G Kind and a predicate TZrype = 
{Ra I A G Rt} on V where Ra Q Da for each A G Rr- 

An environment rj : A; D -G A respects the predicate TZ, in symbols: p : 
A; r -A TZ, if r]{v) G Rk for each v : k G A and rj(x) G i?|/i o r:T]r; for each 
x : T G r. 

The predicate TZ C A is algebraic, ifTZxmd is algebraic (Def. 3.2 of [HS 99]) 

and 

a) P G Ra for each c : t G Crype where A= \ r \ T]^, 
h) R{a^b) C {ft G D(^a^b) I h ■ Ra Q Rb} for all A,Bg Rt, 
c) R\/f C {ft G D\/f I VA G Rt h - a g Rj.a} for all f G R(t^t)- 

An algebraic predicate TZ is logical, if in h) and c) we also have A. 

Definition 4.2. A predicate TZ = {TZ Kind, TZrype) on A is pre-logical, if 

(i) TZKind is a pre-logical predicate onlA, and 

(ii) TZrype is a ‘pre-logical predicate onV’, i.e. {A; B > t : r ]?7 G RfA > t:T]t) for 
each term A; D t> t : t and every environment rj : A; D -G TZ. 

An algebraic (logical, pre-logical) relation TZ between Ai, . . . ,A„ is an algebraic 
(logical, pre-logical) predicate TZ C Ai x ... x An- 
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4.1 Basic Properties of Second-Order Pre-logical Relations 

The Basic Lemma for second order logical relations just says they are pre-logical: 

Theorem 4.3 ([MM85], Theorem 2) LetTZ C AxB be a logieal relation between 
environment models A and B of . For each term A; F > t : t and every en- 
vironment rj : A; F ^ TZ, |Z\ > r : Tjri G Rt and {A; F > t : r ]?7 G RfA > 

As in the first-order case one can view definition 4.2 as a Basic Lemma for 
relations defined using the following properties: 

Lemma 4.4. A predicate TZ C A is pre-logical iff: 

1- TZKind is pre-logical and TZ is algebraic, 

2. for all terms A ; F, x : a t> t : t and environments rj : A;F -G TZ such that 

Va G Ri„jr, lA; F,x : <T t> t : TjT][a/x] G 

we have |Z\ ; T > Acc : erf : (cr — >■ r)]ry G 

3. for all terms A, a : T ; F > t : t and environments rj : A; F -G TZ such that 



VA G Rt [A, a : T] F > t : t]? 7 [A/q;] G RiA,a-.T > T-.T]ri[A/a]j 

we have \A] F > Xat \ Varjry G R[[vaT]r;- 

Proof Let TZ be pre-logical. Then TZKind is pre-logical and algebraic. To 
show that TZxype is algebraic, i.e. that a), b), c) of definition 4.1 hold, we focus 
on c): If / G h G Ryf and A G Rt, and say A = {v : {T ^ T),a : T}, 

F = {x : Vu}, then since A; F > x ■ a : v ■ a one has 

h ■ A = {A; F > X ■ a : v ■ ajp G i?[^ t, va-.Tjr, = RfA 

for all environments p with rjfu) = /, 77 (a) = A, and rj(x) = h. That TZ satisfies 
2. and 3. on definable functions is seen for 2. via Z\; F > Xx : at : (a —>■ r) and 
for 3. via A; F > Xat : \/ar. 

<i=: Condition (i) of definition 4.2 is clear, and for (ii) the assumptions are 
just what is needed to prove the claim lA; F > t : rjry G R|T]r; by induction on 
the derivation of Z\ ; T > t : r. □ 

The class of first-order binary pre-logical relations is closed under composi- 
tion. For second-order relations TZ C A x B and B Q B x C, define 7^ o 5 by 
taking 

{TZoS)Kmd = {(-Ro S')k I K G Kind}, where {Ro S)^. := Rk o S^., 
(TZoS)Type = {{RoS)(^a,c) I (-4, C) G {RoS)t}, where 
{R o S)(A,c) = [J{R(yi,B) o S(B,c) I B G U^, (A, B) G Rt, {B, C) G St}- 
It is then routine to check the following 
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Proposition 4.5. Let TZ C AxB and S C BxC be pre-logieal relations between 
models of . Let rj = {rj-^,'<f') : A; F TZ o S and suppose there is some 
7]^ : A; r B such that {ij^, r]^) : A; F TZ and {t]^, 7]^) : A;F S. Then 

{A; F > t : Tjr] € (i?o S')[^ ^ ^-T]^ 

for each term A; F t> t : t. 

This does not quite mean that 7?. o 5 is a pre-logical relation: of course, for 
each rj : A; F ^ TZ o S there is some : A ^ B such that {'n'^ , VKind) ■ 

A — >■ TZKind and {rixind^V^) • ^ SKind- Yet, there may be no extension 
= VKind^lType needed in the proposition: if r]{x : a) = (a, c) € {RoS)(^a,c) 
for {A, C) = {A > a : Tjry, there is some B such that {A, B) S Rt, {B, C) G St, 
and (a, b) G R(a,b), {b, c) G S(^b,c), but B may depend on (a, c), not just (A, C), 
and may be different from 

If for each {A, C) £ {Ro S)t, the relations R{a,b) ° Si^b,c) for all B with 
{A, B) G Rt and {B, C) G St coincide, we can extend by a suitable 

7] Type- bo we still have the following special case, which may be sufficient for 
applications of second-order pre-logical relations to step-wise data refinement 
(cf. [HLSTOO]): 

Corollary 4.6. Lf TZ F A X B and S F B x A are pre-logical and Rt (or the 
inverse of St ) is functional, then TZo S is pre-logical. 

For the same reason, the projection of a pre-logical 7^ C ^ x to the first 
component is a pre-logical predicate on xl if 7^ is functional, but not in general. 

Proposition 4.7. Let {TZi \ i £ L} be a family of pre-logical predicates on A. 
Then (^{TZi \ i £ L} is a pre-logical predicate. 

Remark 4-8. By Proposition 7.1 of [HS99], every first-order pre-logical relation 
TZ C X is the composition of three logical relations, embed a F A x xI[Y], 
TZ[X] F A[X] X B[X], and embedg^ F B[X] x B, where X is a set of indetermi- 
nates. Since the embedding relations are functional, we expect that this result 
extends to the second-order case, using Corollary 4.6. 

4.2 Definability and Observational Equivalence 

Definition 4.9. Let A = (77, 77, >F, |-]-) and A £ Ut- Element a G Da is 

definable of type A, if there is a closed term ; t> t : r of Xft’^ with xl = | > r : T]"^ 
and a = I; > t : r]"^. We denote the set of definable elements of type A by 

DefA '■= {[; 7 : '7"]'^ I ; c> 7 : T o closed term, A= \ t -. T]"^}. 

Mitchell and Meyer ([MM85], Theorem 4) have characterized the set of defin- 
able elements of a model A of Xff'^ as the intersection of all logical relations on 
an extension A* of A by infinitely many unknowns of each type. Using pre-logical 
relations, we get a simpler characterization: 




Second-Order Pre-logical Relations and Representation Independence 309 



Theorem 4.10 An element a of A is definable of type A € Ut iff for each 
pre-logical predicate TZ C A we have A € Rt and a G Ra- 

Proof =i>: There is a term ; t> t : t with A = | [> r : T] and a = |; t> t : r] G Da- 
For each pre-logical predicate TZ on A, |; c> t : r] G ,> r:T\ by definition, and 
A = I > r : T] G Rt follows from c> t : T, by 2.3. 

<i=: We show that Def = {DefjTindiDefType) is ^ pre-logical predicate on A. 
Then A G DefT, so T = | c> cr : T] for some type > a : T, and for a G Def a 
there is a term ; > t : r with a = |; > t : r] and | o r : T] = Gl. So a is definable 
of type A. 

By theorem 2.3, Defend = {Def^ \ k G Kind} where Def^ = {|/x] | t> p, : k], 
is pre-logical, since U is & model of T^Cmnd' 

For Def Type, suppose A; D t> t : t and r] : A; D — >■ Def. For each Vi : Ki G A 
and Xj : Tj G r there is t> pi : k and ; t> tj : tj such that r]{vi) = \pi\ G Defi^ and 
rj{xj) = I; > tj : Tj\ G He/| With the substitution lemma (cf. [BMM90]), 

[A] r \> t : tIp = {A-, r t : r][| > pi : /ti]/vi, . . . , |; > ti : n\/xi , . . .] 

= I; > (f : T)[pi/vi,...,ti/xi,..]\ 

G Def^ ^ 1> tiTIt,- 

Hence Def is the least pre-logical predicate on A. □ 

Definition 4.11. Let OBS he a set of closed types and A,B be models of 
such that for each t G OBS . A and B are observationally equiv- 

alent, in symbols: A =obs B, z/ |; > t : t]"^ = |; i> t : rj® for all closed terms 
; 0 t : T where r G OBS . 

Theorem 4.12 Suppose h a = t whenever | > cr : = I > t : 

Then A =obs B iff there is a pre-logical relation TZQ Ay. B with 

RiAM)0{Def^ y Def^) C Ha,b D^ y D^ 

for each observable type > t : T G OBS, where {A, B) = l> t : 

Proof. Let ; > t : r be a term. Then > t : T and since TZ is pre-logical, we 
have (A,B) G Rt for (A,B) = | > r : and (a, 6) G R(a,b) for (a,b) = 

I t> t : If r : T G OBS then a = bhy the assumption. 

=t>: Take TZ := Def^^^, which is pre-logical by the previous proof. Suppose 
> T :T G OBS and {A, B) = \ \> t ■. For (a, b) G R{a,b), there is a term 

;> s : a such that 

(a, 6) = I; > s : and {A, B) = l> a : 

By assumption, h ct = t, hence ; > s : r by {Typ =), and (a, 6) = |; > s : 

Since A =obs B and r G OBS, we get a=b. 



□ 
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4.3 Abstract Type Constructors and Representation Independence 

To simplify the setting, we had assumed that the declaration in example 2.8 
introduces an abstract type, a bag, and constants a: : ct of simple type. But in 
fact we would like to model a declaration like 

(abstype {bag : T ^ T,x : a) is {\a : T.T,t : a[\a : T.r/bag]) in s), 

introducing a type constructor and a constant of polymorphic type a. In ’'^we 
can do this as follows: we extend A — (U, <P, W, C^, |-]-) to a model by first 
adjoining (cf. definition 6.1) an indeterminate, bag, to the kind structure U: 

= U[bag : T T] = {V^ \ n G Kind}, where f/j)" := U(^t^t)^k ‘ bag. 

This provides us with new types (A bag), {{A bag) bag) G Ui^, for each A G Ut, 
and we can introduce new constants of polymorphic type, like 

empty : Va.(a bag) or member : Va(a — >■ ((a bag) — >■ int)). 

Next, when assigning domains to the new types, we interprete bag by a definable 
constructor, for example the list constructor * : T ^ T, and use the domains of 
the resulting types of Ut as domains of the new types, i.e. 

D\sas--= Da^ = {D^)*, 

and as interpretation of the new constants the elements of these domains that 
are the values of the defining terms, for example 

{empty : Va.(a bag)}"^ := [] G Il|va.a*l = . 

Notice that a predicate TZ on A^ will have different predicates RAbag,RA* C 
Da bag = Da*, since the types A bag and A* are not the same. 

Definition 4.13. Let vq : kq > ao ■ T and C'^ := CKind,vo ■ kq ; Crype,xo : ctq 
be an extension of C by new ‘constants’ vq,xq. Let A = {U,'D,‘1>,W, |-]) be an 
environment model of , > hq : Hq a closed constructor of with value 

^0 = I > Mo : «ol; and A = {(ToIp^o / M l ^ Ut and a G Da- 

Define the expansion A{^io,a) := = (ZY+, 21+, |-]^) as follows: 

= U[vo : kq] is the extension ofU by an indeterminate vg : Kg (cf. definition 
6.1). Each k G Ufi can be seen as an element ofUi^^^^^r) and hence determines 
an element k{kg) G U^; therefore, (l-]-)^ are given by 

U A^ DA(ko)y ^ 

x^ := a, (P := P for c : a G Cxype, 

(^'^)a,B ■= ^A{ko),B{ko)^ (P^)Xb ■= '^A{ko),B(ko)^ 

{<P+)) {E+)} 

and {A; r > t: r]^ rj := {A; E > t : rf^iiko, where Pkoiv) := rj{v){kg) G [/„ for 
V : K G A and rjkg (x) := rj{x) G DA(ko) foi" x : a G E with A=|Z\>cr:T]G Ui^ . 
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We can now give a generalization of the representation independence theorem 
2.9 to that covers abstract type constructors. (This is also the reason why 
we did not use adding 3 : (T T) T to to handle abstract types 

(cf. [MP85]) would not be sufficient; we’d need existential quantifiers of other 
kinds as well.) For simplicity of notation, we only state the unary version. 

Theorem 4.14 Let TZ be a pre-logieal predicate on a model A of X^’'^ , such 
that TZKind is logical and its elements are definable using parameters of Rt ■ For 
each definable expansion A~^ = A{p,o,a) of A to a model of Xff+ , the following 
are equivalent: 

(i) DefX C Rjs^ for each A G Rt- 

(a) There is a pre-logical predicate Rfi C yl+ such that Rt C R^ and R\ = Ra 
for all A G Rt- 



Proof, (ii) (i): for A G Rt C Ri^ we have Def^ C since is pre-logical, 
so Def^ C Ra by R\ = Ra- 

(i) (ii): By construction, elements of C/+ are equivalence classes 

[vo : Ko 0 H : k] of constructors /i G Xq^.^^ ^ with parameters for elements of 
U] each one can be written as [k ■ vq] with a unique k G We define 

^«„.CZ^+by 



R-Xind ■— I ^ G Kind}, where R'}} := R^k^^k) ■ W for k G Kind. 

For = {R\ I A G Rt}, let R\ be the set of elements of that can be 

defined in A^d^ with type parameters from Rt and individual parameters from 
R-Type, i-e. for Ag R}f (and p = {rimnd] flType)) we put 



R\ := { {A; r > t : r ]?7 | Z\ ; T o t : r is a term of A^d^, (5) 

PKznd : A^ Rt, A={A>t-. 
for all a; : cr G T is CT a type of Xf}’^, 

VType ■ F y RType }• 

Claim 1 := {R Kind Type) i® ^ pre-logical predicate on .4+. 

Proof: (Sketch) Since Rxind is logical, not just pre-logical, by lemma 6.2, 
R+^^d C U'^ is a logical, hence pre-locgial predicate. For Rrype we use lemma 4.4. 
To see that R^ is algebraic, use the fact that types A G R^ can be represented 
as fj, ■ Vo for some p, G R(ko^t)j and by the assumption on R, p is definable by 
a term of with parameters from Rt. 

To show 2. and 3. of Lemma 4.4, suppose f is a function A-definable with 
parameters from R^ . Use the substitution lemma to replace in f’s defining term 
all parameters from R~^ by their defining A^j'^-terms with parameters from 

R' Type • 

Claim 2 For each A G Rt we have A G and R\ = Ra. 
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Proof: Let A G Rt- Then A= \a (Av a) ■ vg '■ T] [A/ a] G R(k^t) ' = 

RAf. To show Ra C let 77 be an environment with rj{a : T) = A and 
rj{x : a) = o G Ra- Then a = \a : T] x : a x : ajry G R\ by definition of R\. 

To show R\ C Ra, let a = |Z\ ; T > t : rjry G R\ where A; P > t : t and 77 
have the properties given in (5). Then A has the form : T, . . . , a„ : T, and 
with r = xi : ai, , Xm ■ Om the abstraction 

t '. T := Aoi . . . XcXriAxi : (t± . . . Axm \ cTm- t ! Voi . . — y . . . — y cr ^ — y t ) 

is a closed term of with type ^ := | c> f : T] G Rt- By (i), 

I; > t : f] G Defl C Ra- 

Let Ai = rj{ai), bj = rj(xj) and Bj = |Z\ c> aj : Tjri. By assumption on 77 and 
since TZ is pre- logical we have A^, Bj G Rt and bj G Rsy This gives 

a=l;t>i: fj- Ai--- An- bi---bm& Ra- ^i---^n-bi---b,n 
C Rg^^ ^Bm^A - Rbi - - - Rsm ^ ^A- 



□ 



Remark 4-15. For Mitchell ([Mit86], Theorem 7) states (without proof) 

a criterion for the equivalence of two representations of an abstract datatype 
where 77.+ in (ii) is a logical predicate. I am unable to construct such a logical 
predicate from his version of (i). It seems unlikely that we can modify the pre- 
logical predicate from the proof of 4.14 to obtain a logical predicate satisfying 
(ii) (when 3 is dropped), in particular since C may have higher-order constants. 

5 Directions for Future Work 

First, we conjecture that the characterizations of pre-logical relations by logical 
relations given in [HS99] for first-order models can be transferred to the class 
of second-order models considered here, but details remain to be checked (cf. 
remark 4.8). Next, a categorical generalization of second-order pre-logical rela- 
tions, extending the work on lax logical relations [PPSTOO], would be useful for 
applications to categorical models and probably to imperative languages. Third, 
representation independence theorems for languages with 3-types or dependent 
types and for a general form of abstraction like 

(abstype context with specification is representation in scope) 

or SML’s restriction construct structure :> signature would be very useful, 
especially for SML with higher-order functors (cf. [Ler95], section 4). Finally, 
observational equivalence as the logical relation at 3-types (cf. [Mit86]) may 
have a flexible variant with pre-logical relations, in particular in connection with 
specification refinement as studied in [Han99]. 
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6 Appendix: Adjunction of Indeterminates 

Definition 6.1. Let A = (A,<P,'L,C^) be an extensional model of Xq , t G T. 
Extend Xff to Xq ^-terms by adding a constant a for each a G A^-- Consider the 
equivalece of Xq j^-terms of type a in the free variable x : r given by 

s{x) =A t{x) : Va G Ar |s][a/a;] = |t][a/x] G A^^- 

Each equivalence class [s : a] of =a can be represented in the form [/ • x] where 
f G A-r^cr- Since A is extensional, f = |Accs] is unique and a e- >• [a] is injective. 

Let A[x : t] := {A' , <L' ,'E' , C), the extension of A by the indeterminate x : t, 
be 

A'^ = A[x : r]a := {[s] | s G x : t \> s : a} 

^'pAU ■ Aiia ■ a;]) := [ ^T^p,T^ASr,p,a ■ f){g) ■ x] 

K.aAd ■ ■ x]) ■= Ar^pA^ajh) ■ x] 

C"(c) := [ C-^(c) ] fore: a gC, 

where Sr^p^a '■= A/A(/Ax(/x((/x)) : (t — >■ p — >■ ct) — ?> (r — >■ p) — >■ (r — >■ cr). We 

write f ■ X instead of [f ■ x] and, correspondingly, A[x : t]„ = A^^^ ■ x. 

Lemma 6.2. Let A be an extensional model of Xq and TZ C A a logical predi- 
cate. There is a logical predicate S on A[x : r] with [a;] G Sr and C So- for 
all types a. Lf Rr yf 0, then So- H 

Proof. Putting So- := Rr^a ■ x for all types cr, the claim is easily verified. 

Note that C may contain higher-order constants. This is used for V when applying 
6.2 in the proof of theorem 4.14. Unfortunately, the lemma apparently is wrong 
with pre-logical instead of logical relations. 
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Abstract. We give a simple characterization of convergent terms in 
Abadi and Cardelli untyped Object Calculus (^-calculus) via intersec- 
tion types. We consider a A-calculus with records and its intersection 
type assignment system. We prove that convergent A-terms are char- 
acterized by their types. The characterization is then inherited by the 
object calculus via self-application interpretation. 



1 Introduction 

Concerning type systems for object oriented languages, theoretical research over 
the last decades has focused on subtyping, having as correctness criterion that 
typed programs will never rice “message not understood” exception at run time. 
Undoubtedly these are central issues in the field; nevertheless there are questions 
for which a different understanding of typing could be useful. 

We move from the remark that, at least in case of major theoretical models, 
like the Objects Calculus of P, or the Lambda Calculus of Objects of PSI, 
typed terms do not normalize, in general. This is not surprising, since objects 
are essentially recursive, and these calculi are Turing complete; but this has the 
unpleasant consequence that types are completely insensitive with respect to 
termination. For example, the c-term [I = <^(x)x.l].l, which diverges, has type 
[] in the basic first order type system OBi; but an inspection of the derivation 
shows that it has any type A, since the object term [I = <^{x)x.l] may be typed 
by [I'. A], for any A (more precisely, for any A there exists a typed version [/ = 
<^{x:[l:A])x.l].l of the diverging term, which has type A). Exactly the same remark 
applies to the Lambda Calculus of Objects, where a coding of the paradoxical 
combinator (following notation of [TH]) Y = A/.(rec = \x.f{x 4= rec)) 4= rec is 
typable by (cr — >■ cr) — >■ tr, for any a\ then Y(Aa;.a:) : cr for all a. 

Should we care about termination in 00 systems? If one’s focus is on event 
driven systems, modularization, encapsulation or software reusability, as much 
as these features are supported by 00 languages, probably not. But, after all, 
object orientation is a programming paradigm: if a program enters some infinite 
loop, without exhibiting any communication capability, it is true that no system 
inconsistency is responsible for this fact; it might also be clear that, due to some 

S. Abramsky (Ed.): TLCA 2001, LNCS 2044, pp. 315-^^ 2001. 
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clever typing, one knows in advance that no object will receive some unexpected 
message; nevertheless such a program is hardly useful. 

In the present paper we show that a simple characterization of converging 
terms in the c-calculus is achievable via a combination of (untyped) interpre- 
tations of object calculi and type assignment systems. We consider untyped 
A-calculus with records as target language in which object terms from ^-calculus 
are translated, according to interpretations which have been proposed in the lit- 
erature. We restrict attention to self-application interpretation (see P, chapter 
18), since it is easily proved that convergency in the ^-calculus (see P, chapter 
6) and in the A-calculus with records are equivalent under such interpretation. 
We provide a characterization of convergency in the A-calculus with records via 
an intersection type assignment system; the characterization is then inherited 
by the (untyped) c-calculus. 

Intersection types are better understood as “functional characters” (namely 
computational properties), than as sets of values: this is in accordance with the 
fact that in such systems any term has a (possibly trivial) type, and, moreover, 
that each term is typable by infinitely many types. On the other hand the set of 
types that can be given to a term describes its functional behaviour, that is its 
meaning (see e.g. 1 1 'ZKifZ'Zl Rj 1 . That convergency is characterized by typability 
within the system by types of some specific shape is basic with respect to the 
construction of denotational models using types (see [Ml)- 

As a matter of fact, we consider the study of reduction properties via type 
assignment systems a preliminary step toward a theory of equivalence and of 
models for object calculi, based on domain logic and type assignment, which is 
left for further research. 

1.1 Related Work 

The use of intersection types as a tool for the study of computational properties 
of the untyped A-calculus begins with m and and it is an established 
theory: see m for an exposition. These technique has been recently applied to 
the study of lazy A-calculus 0, of parallel extension of A-calculus i™ . and 
of call-by-value A-calculus ITTEni . Further studies of reduction properties via 
intersection types are reported in US!. 

Intersection types have been also used by Reynolds in the design of his 
FORSYTHE language (see among many others j26f24j V Although intersection 
semantics is the same as that in the literature quoted above, the meaning of types 
is close to the standard interpretation of polymorphism, and does not provide a 
tool for characterizing properties of reduction. However, the typing of records is 
strikingly similar to that one we have used here. 

The source of the A-calculus of records is P, chapter 8, where it is contrasted 
to the c-calculus. Interpretations have a long story, both as formalizations of 
the informal notion of object, and as translation of formal calculi: in particular 
the self-application interpretation originates from Kamin work ED- Sources of 
further information on the subject of interpretations are as well as P, 

chapter 18. More recently Crary m advocated a use of intersection types for 
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object encoding, together with existential and recursive types. The paper dis- 
cusses encoding into typed calculi, and is in the line of Reynolds and Pierce 
understanding of intersection types. 



2 A A-Calculus with Records 



The syntax of terms is obtained from that of untyped A-terms by adding records, 
equipped with selection and update operators: 

M ::= X I Xx.M \ MN \ {k = M, \M-l\M-l:=N, 

where I varies over finite sets of indexes, and h ^ Ij if i j. Note that M-l is 
not a subterm of M- 1 := N (much as a.l is not a subterm of a.l <J= <^{x)h in the 
c-calculus). We call An the resulting set of terms. The set of closed terms in An 
is denoted by A^. 

To give semantics to the calculus we first define a notion of reduction, and 
then choose a suitable subset of normal forms to be considered as values. 

Definition 1. The weak reduction relation, — over An is defined by the 
following axioms and rules: 

(fl) {\x.M)N — M[N/x\, 

{v) M — M' ^ MN — M'N, 

(i?l) {U = M, 1, iff G I, 

(i?2) M — M' M-l — M'- 1, 

(i?3) {k = M, := N {k = M, = n), iff G I, 

(i?4) M — M' ^ M-l:= N — M'- 1 := N. 

This is lazy reduction of the A-calculus plus extra reduction rules for record 
terms. 

Definition 2. The set o/ values V is the union of the set TZ = {{k = Mi \ 
Vi G li and the set T of closed abstractions. Then we define a conver- 

gency predicate w.r.t. weak-reduction by: 

i) M]fvAv€VAM^^V, 
li) M JJ.4 3P. M i)V. 

Definition 0rules out closed normal forms like (Ax. a;) - 1 := (Ax.x). Any value 
is a normal form w.r.t. — but not viceversa: in particular any term repre- 
senting a selection or an update over a label which is not defined in its operand 
in normal form, results in a blocked term which is not a value. 
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Terms: 

Values: 

Evaluation Rules: 
V \.v 



a ::= X \ [k = q{xi)bi | a.l \ a.l ^{x)b 
V ::= [h : <;{xi)bi 

al[h : q{xi)bi bj{[li : q{xi)bi ''‘^^]/xj} u j £ 1 

a.lj 4 , V 

al[li ■. <;{xi)bi j £ I 
a.lj <;{y)bi [k : <;{xi)bi ,lj = q{y)b] 



Fig. 1. The untyped ^-calculus and its operational semantics. 



3 Self- Application Interpretation and Convergency 



Syntax and operational semantics of the untyped c-calculus are from [P , chapter 
6; they are reported in figure ^ Note that substitution is written a{b/x}, instead 
of using square braces, to avoid confusion with notation of object terms. 

We then introduce the self-application interpretation which is a map- 
ping sending c-terms into Ajj. We take this definition from chapter 18. 

Definition 3. Under self- application interpretation, <;-terms are translated ac- 
cording to the following rules: 

= a; 

l[k = = {k = Xx.-lhf 

[[a.Zf 

[[a.Z ^ ^ [[af d := 

For the sake of relating convergency predicates via self-application inter- 
pretation, we give a one-step operational semantics of the ^-calculus which is 
equivalent to the big-step one. 



Definition 4. The reduction relation — over <,-terms is defined by : 



i) [k = <;{xi)bi ^^^].lj — )-^ bj{[k = 
a) [h = ^{xi)bi <= <;{y)b — 

Hi) a — b ^ a.l — b.l, 
iv) a — b ^ a.l ^ ‘i{y)c — b.l 



= ^{xi)b, iff £ I, 

^ [k = ^{xi)b,, = g{y)h], 



iff e I, 



This reduction relation is weaker than the one-step reduction defined in fP 
6.2-1; on the other hand the subsequent lemma does not hold for that relation. 



Lemma 1. For any <;-term a and value v: 




a f V ^ a 



V. 
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Proof. By induction over the definition of a — v (if part), and over the defini- 
tion of a 4 , r; (only if part). 

□ 

The next theorem states that operational semantics is faithfully mirrored 
under self-application interpretation. We write a ), if there exists some v such 
that a f V. 

Theorem 1. For any <,-term a, a J, if and only if [[a]]'^ JJ-, that is the self- 
application interpretation preserves and respects the convergency predicate. 

Proof. We observe that: 

a) if a — h, then [[aj® ~^w (proof by induction over — >-^); 

b) if [[oj'® — M, then, for some N and b, 

M — N = [[6]]‘® and a — b, 

(proof by induction over a); 

c) is a value in the c-calculus if and only if |u]]‘® is such in Aji (immediate 
from the shape of [[u]]'^); 

d) if y G V and V = [[a]]'^ for some a, then a is a value (by inspection of the 
definition of [[• J'^). 

If o 4 , then a v for some value v, by lemma m hence [u]]-®, by 

(a), and [['c]]'® G V by (c); therefore [[a]]'^ 4J-. 

Viceversa, if [[a]]'^ 4)-) then [[a]]'^ — >-iu V for some y G V; since y is a normal 

form, by (b) we know that V = [[6]]®, with a — 6; it follows that 6 is a value, 

by (d), so that a 4- by lemma Q] 

□ 



4 A Type Assignment System 

In this section we introduce the basic tool we use for analyzing the computational 
behaviour of A-terms. It is a type assignment system, which is an extension of 
system CDV^ (see caaia), also called VQ in m- To arrow and intersection 
type constructors we add a constructor for record types, which is from 
Types are defined according to the grammar: 

a ::= a \ uj \ a ^ t \ a /\ t \ {h '. ai 

where a ranges over a denumerable set of type variables, a; is a constant, a and 
r are types, / ranges over finite sets of indexes. 

Definition 5. The type assignment system CDVjf is defined in figure]^ Judg- 
ments take the usual form P \- M : t, with M G Ar. The context P is a finite 
set of assumptions x : a , where each variable occurs at most once; the writing 
P,x : a is an abbreviation of P U {x : a}, for x ^ P. We write P \~cdv^ ^ 
to abbreviate “P \- M : t is derivable in system CDV^”. 
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r,x : a \- X : a 



( Var) 



r\- N -.a 



r\- M -.UJ 



(o>) 



r h Xx.M : a ^ T 

r\- M -.a r\- M - T 
r \- M : a A T 



r h MN : r 



E) 






ViGi JCI r h M : {k : at j&I.. 

r\- {h = Mi : {Ij : CTj ^ rh M- Ij : cr^ '' 

rhM:(/, :a, T h JV : r j€J 

r h M- Ij ■- N :{k-. ai 



Fig. 2. CDV^, intersection type assignment system for Aji. 



Adding rules (w), (A/) and {AE) to Curry rules (Vdr), (— >• I) and (— )> E) 
yields system CDVoj- Rules {{)E) and {{)U) are from fP; rule (()/) is slightly 
more liberal than usual record type introduction rule: it is however a good ex- 
ample of the distinctive feature of intersection types. In fact, in ordinary typed 
systems, records are elements of some cartesian product; with respect to such in- 
terpretation rule (()/) is unsound. But the meaning of the record type {k : ai 
in our system (as it is formally defined below) is the property to reduce to some 
record such that, if some li is selected, for i € I, then something having property 
ai is returned. Hence the extension of the property {li : ai,l 2 ■ CT 2 ) is included 
in the extension of {k : ai), for any i = 1,2. Finally, rule {{)U) is sound both 
w.r.t. the standard interpretation of record types and w.r.t. our interpretation: 
in fact, if the component types have to express properties of record components, 
and some of these is changed by an update, then it is reasonable that its type 
changes too. It would be unsound, instead, in system OBi<. (see figure 0, as 
this rule immediately conflicts with the self type. 

The essential reason for using intersection types and oj is type invariance 
under subject reduction and expansion, as stated in the next theorem; its proof 
follows a standard pattern and it is omitted. 

Theorem 2 (Subject reduction and expansion). Let M,N G An and a be 

any type: 

i) if r \~CDV^ ^ M — N then E \~cdv^ ^ 

ii) if r \~CDV^ ^ • O’ AI — N then E \~cdv^ AI : a. 



□ 

We observe that a restrictive rule for update, closer to rule {Val Update) of 
system OBi<,, such as 



EL M : (k:ai E L N : a^ j Gl 
ELM- Ij := N -.{k: cr, ^^^) 



m') 
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would break (ii) of theoremEl Indeed, if = {\x.xx){\x.xx) and I = \x.x, then 
{I = n)- 1 := I — i-u, {I = I); now {I = I) has type {I : a ^ a), for any cr, but, 
with {{)U') in place of {{)U), {I — Cl)- 1 := I has type {I : oj) at best. 

That types are “functional characters” is formalized by the following type 
interpretation, which associates to each type its extension. Note that it is a 
closed interpretation, namely extensions of types are subsets of A'^. 

For X,Y,Xi C let us set (by overloading — >• and ()): 

X = {M G A% \ 3F G Mi}. F A \fN G X. FN gY}, 

{k ■■ XiY^^ = {MGA%^\3RGn.M>}.RA MiGLR-kG XJ. 

We are now in place to define type interpretation, by associating to each type 
a subset of given an interpretation of type variables. 

Definition 6 (Type interpretation). A closed interpretation I is any map 
from type variables to subsets of A^. R extends to a closed type interpretation 
(type interpretation for short) |cr]]i C A^ as follows: 

|a]]i =I{a), 

|cr r]]i = |crji [[rji, 

I(/. : a. = ih : 

|cr A rjx = |cr]]i Cl |r]]x. 

With this definition of type interpretation there may be empty types, and 
even types which are empty under any interpretation I, e.g. (w — >■ w) A (/ : u>), 
which also shows that the problem would not be solved neither by some clever 
definition of interpretation of type variables, nor by eliminating type variables 
at all. 

On the other hand one could weaken the definition of arrow and record type 
interpretations, by asking only that M f}.V, for some V, and observing that both 
(Xx.M)- 1 and {I = M)N are in the interpretation of uj, for any closed M, N . But 
all this results into unnecessary weakening of the theorem below, and contradicts 
the philosophy of types as functional characters. 

As a final remark about type interpretation let us define: 

a <T = VI. [[cr]]x C [[t]]x, and a = t = a <t < a. 

Then we have some expected inequations: among them note (i) and (ii), which 
are subtyping in width and in depth respectively. 

Proposition 1. The following (in) equations hold: 

i) I ^ J ^ {k \ (Ti < {h '■ 

ii) Vi G L ai<Ti^ {k : (Ji < {k '■ n 

Hi) {k : Oi : of); 

iv) {I : a) A {I \ t) = {I : a A t) . 

□ 
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Types: 



Subtyping rules: 



A ::= a I Top | [k : Ai 



£J h A <: Top 



(Sub Top) 



IDJ 

Eh[li: B, < [li : B, 



(Sub Object) 



E'r A<A 



(Sub Refl) 



E'r A <.B E\- B cC 
Eh A<.C 



(Sub Trans) 



Fig. 3. Subtyping rules for system OBi<:. 



5 Typing Interpretations of <j-Calcnlus 



We now turn to untyped interpretations of <j-terms into Aji. Since we are also 
interested in appreciating the closeness or the distance between our typing of 
the interpretations and what can be deduced for typed versions of the same 
<j-terms, we consider a type assignment version of Abadi and Cardelli system 
OBi<:, which still we call OBi<:. 

To make reading more comfortable, we report the definition of system OBk, 
in figures 0 and 0 (we omit both rules for kinds and premises concerning the 
assumption that types and contexts are well formed, being first order types easily 
defined by a grammar and supposing that in a context each term variable occurs 
at most once). In the examples below we add term constants to make reading 
easier: they are typed according to some obvious rules, which we collectively 
name (Const) in both systems (OBk, and ours). 

Self-application interpretation has been introduced in definition 0 of section 
0 In the criticism to this interpretation is that it is unsuitable w.r.t. subtyp- 
ing, because the abstractions in front of method bodies makes the type of the 
interpretation of an object term contravariant in the self type. 

Let us consider the <j-term: 

02 = [h = i(x)3, h = <;{x)x.li <,(y)x.li + 1]. 



In system OBk, it can be typed by cr = [l\ : mt, I 2 '■ 



X \ u\- X \ a 



(Var) 



r (Var) 

X \ <j,y \ G \- X \ a 

(Val Select) 
(Const) 



X : G,y : G \- x.l\ : int 
X \ G,y : G \- x.li + 1 : int 



K : (7 h 3 : int 



(Const) 



X : g\- x.li <= c,{y)x.li + 1 : cr 
X ■. g\- x.li c;(y)x.li + 1 : [] 



(Val Update) 



b 02 : cr 



(Val Sub) 
(Type Object) 



Its interpretation is 

[[021'^ = (^1 = Ax. 3 , 12 = Xx.x- li := Xy.(x- li)x + 1) 
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(Var) 



E,x ■. A\- X : A 

E h a : [h : Bi j £l 

E h a.ln : Bi 



(Val Select) 



E,Xi : 


Ik ■■ 


\kbi-. 


Bi \/iei 


E h [). 


i = i(xi)bi 




Ik ■■ B, 


A= [h 


: B, 






Eh a-. 


A E,y : 


Ahb 


: Bj j el 



E h a.lj ^ : A 

E\- a: A E \- A < B 



(Type Object) 



(Val Update) 



E\- a-.B 



(Val Sub) 



Fig. 4. Typing rules of type assignment system OBi<:. 



In CDV^ we may assign to [[a2l'® the type cti = (Zi : w — >■ int, I2 ■ w), which is 
close to the original type of 02 in OBi<:; but we can also deduce 

(72 = {h : <Ji -A int, Z2 : cti — >■ cti). 



In fact: 



X : ai \- 3 : int 



h Ax . 3 : (Ti 



int 



(Const) 

(^I) 



X : (Ti h Xy.{x- li)x + 1 : w — >■ int 
X : ai \- X- li := Aj/.(x- Zi)x + 1 : cti 
h Ax.x- h := Ay.(x- /i)x + 1 : cti — ?> cti 



I" NF 



: CT 2 



(OU) 

(^i) 

( 01 ) 



since 



(Var) 



X : (Ti,y : UJ \- X : a 
X : ai,y : oj \- X- li : w — >■ int 



(()E) 



X : ai,y : LJ \- X : LJ 



X \ ai,y : UJ \- {x- li)x : int 
X : ai,y : UJ \- (x- li)x + 1 : int 
X : (Ti h Ay.(x- li)x + 1 : w — >■ int 



(Const) 

(^I) 



(uj) 

(^E) 



These types are not that different from those which are derivable for 02 in 
OBi<;; moreover the occurrence of uj seems to be connected to their recursive 
nature. But |a2]]‘® is a normal form (and a value): by analogy with untyped A- 
calculus and the characterization of strongly normalizing terms in system CDV 
(see )l4l22j ). we expect that it should be typable without any occurrence of uj, 
both in the conclusion and in the derivation. This is actually the case. Let r,p 
be any types (possibly type variables) without occurrences of w; define 
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Then: 



X : CT3 A T, y : r h a: : (73 A r 
X : (T3 A r, y : T h X : (T3 



X : (T3 A r, y : r h X- /i : T 



int 



(Var) 
(AE) 
(()E) 



X : (T3 A T, y : r h X : (T3 A r 



X t\ T,y T \- X T 



(Var) 

(AE) 



X : (T3 A r, y : T h (x- ^i)x : mi 
: (T3 A T, y : T h (x- ii)x + 1 : int 



(^E) 



X : (T3 A r h Ay.(x- ii)x + 1 : r — >■ ini 



(Const) 

(^I) 



Therefore, writing N = (x- ii)x + 1, we have 



X : r h 3 : ini 



h Ax . 3 : T 



ini 



(Const) 

(^I) 



x:(T3Arl-x:cr3Ar 
X : (73 A r h X : 0-3 



(Var) 

(AE) 



X : CT3 A r h \y.N : r ■ 



ini 



X : (T3 A r h X- ii := Ay.V : (73 
h Ax.x- ii := Xy.N : c73 A r — > a3 



(OU) 



I- [a2F : (h : 7 ini, ^2 : 0-3 A r 0-3) 



(^I) 

(()I) 



As a matter of fact we conjecture the stronger statement: if CDV^ is obtained 
from CDVj^ by deleting uj from the type definition, and eliminating rule (w) 
from the system, then M G Afi is typable in CDV^ if and only if it is strongly 
normalizing. If the full reduction of ^calculus is considered, we also conjecture 
that any term |a]]'®, such that a is typable in OBk,, is typable in system CDV^ 
if and only if a is strongly normalizable in the c-calculus. 

As the last example shows, the interpretation of the self- variable can be typed 
in a non uniform way. Indeed [[[/i = <;{xi)bi is typed (among many other 

possibilities) by {U : ai ^ Ti for some ai, Ti, where the ai are not necessarily 
equal. 

This, which surely sounds odd to those familiar with typings of object cal- 
culi, is sound in our perspective: in fact in the derivation of the type of object 
interpretations the judgment Xi : at does not mean “the type of this object is 
CTi”, being the type we derive just a predicate of records. It is indeed clear that 
the notion of self is not immediately translated into the interpretation of object 
terms, rather it is implicit in the translation of method invocation. 

We only observe that it is possible to collect all the assumptions made 
about the self-variable into a uniform typing: indeed any derivation of [[[Zi = 
^{xi)bi *^^]]]'^ : {h : ai ^ Ti can be transformed into a derivation of 
Ilk = <;{xi)bi : {k ■■ n 



6 The Characterization Theorem 

In this section we provide a characterization of convergent A-terms with records 
using the type assignment system of section 01 Combining this with theorem ^ 
we obtain a characterization of convergent c-terms, which is the main result of 
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the paper. Henceforth by types we mean intersection types for This char- 
acterization has a strict analogy with the characterization of those terms from 
the (classical) A-calculus which are reducible to some head normal form (see e.g. 

m)- 



A type is trivial if its interpretation is for any I: then a trivial type is 
either u> or an intersection of trivial types. A subset X C is saturated if it 
is closed under closed expansions (M is a closed expansion of A^ if M — N 
and M G A^); we also say that I is a saturated interpretation if I{a) is a 
saturated set, for all type variable a. A straightforward induction shows that, if 
X is saturated then \a\i is saturated, for all a. 

A closed substitution is some mapping A : TermVar ^ A^; Md denotes the 
result of substituting all free occurrences of a: in M by r?(x). We say that d 
respects r,X if for all x : ct G A it is the case that d{x) G Observe that, if 
d respects T,I then [[(t]]x ^ 0, for all cr occurring in X. 

Lemma 2 (Soundness of Type Interpretation). Let T \~ cdv ^ Af : r and 

suppose that X is a saturated interpretation. If d is some closed substitution 
respecting X,X, then Md G \r\x- 

Proof. By induction over the derivation oi X \- M : r. Cases (Var) and (w) are 
immediate by the hypothesis. Cases (A/), (A A) and (— ?> E) follow by induction 
hypothesis. The fact that the interpretation of some types may be empty is 
relevant just in case the derivation ends with an application of rule (— >■ I). 

Case (— >■ I): the derivation ends by 



X,x : a M : r 
X h Xx.M : a ^ T 



I) 



Clearly {Xx.M)d (1 {Xx.M)d. If = 0, then {Xx.M)d G [cr — >■ r]]x 

vacuously. Else, for any N G \u\x let d' be such that d'{x) = N, 
d'{y) = d{y), if y ^ x. Since d' respects X,x : a,X, by induction we have 
Md' = {M[N/x])d G [t]]x; now {{Xx.M)N)d — >ui {M[N/x])d, and the 
thesis follows being [t]]x a saturated set. 

Case (()/): the derivation ends by 

X Mj-. (jj yj G I J C I 
X^ {k = M, : {Ij : Uj 

Since {U = Mi = {k = Mid), we have, for all j G J Q I, 

{k = M,d Ij Mjd G laj]]x 



by induction; the thesis now follows since |ctj]]x is saturated. 
Case {{)E)\ the derivation ends by 



XhM:{h:<T, J G I 
X \- M- 1 j : (Tj 



{{)E) 
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By induction Md G l{h : Ui hence for some R G TZ, Md J| R and 

R'h G \ui\i, for all i G I. Mi} — R implies Md-h — >w R-h, and 
therefore Mi9- li G Icrjx, being \ai\x saturated. 

Case {{)U): the derivation ends by 

r G M : {k : R G L : a jGl 

r G M- Ij := L:{k: cr* ; cr) 

By induction there exists some R G TZ such that Mi} R and R- li G 

[[crijx, for all i G I ■ By definition R has the shape {U : Mi therefore 

(M- Ij := L)d = Md- Ij := M 

{k-.M, :=Ld 

{k-.M, = L^) 

and {k : Mi ,lj = LG}) G {{k : ai : cr)]]x by the above and 

the induction hypothesis. The thesis follows since {{k : ai : cr)]]x 

is saturated. 

□ 

Given the soundness of type interpretation we use it, together with type 
invariance under reduction and expansion, to characterize convergent A-terms 
with records: 

Theorem 3. For any closed term M , M JJ. jf and only if it is typahle by some 
non trivial type in CDV^; moreover M F for some F G GF if and only if M 
is typable by uj ^ to, and M fy R, for some R G TZ, if and only if M is typable 
by {li : uj for some I . 

Proof. The only if part follows by theorem|^ (ii) and the fact that Gqdyr Xx.M : 
w — >■ w and GcjjyR {k = Mi : {I i : tu for all Xx.M G T and ffi = 
Mi G TZ. The if part is consequence of lemma El 

□ 

A further consequence of this theorem is that terms reducing to a selection 
M- 1 or an update M- 1 := N over some label I which is undefined in M have 
only trivial types; in particular ill-formed terms like I - 1 are only typable by 
conjunctions of lu. 

We are eventually in place to state the main result of the paper. 

Corollary 1. For all pure (i.e. constant free) untyped <;-term a, a f if and only 
if [[a]]‘® IJ. if and only if for some F and I, F GcjjyR |a]]'^ : {I : co). 

Proof. By theorems [D and 0 

□ 



Characterizing Convergent Terms in Object Calculi via Intersection Types 327 



7 Conclusion and Further Work 

We have shown that a piece of theory of type assignment nicely yields a charac- 
terization of convergent ^-terms, up to the modest overhead of self-application 
interpretation. But it seems that we have just scratched the surface of a subject 
which deserves further investigation. 

First, a suitable extension of the notion of saturated sets should give the tool 
to settle the conjecture in section 0 that exactly the interpretations of strongly 
normalizing objects (w.r.t. the full reduction relation) are typable in system 
CDV^. In the same vein one may also consider the problem of characterizing 
other properties of reduction in object calculi that have been studied for the 
A-calculus |IS|. 

A further step is to build filter models of object calculi using Aji and its 
typings as an auxiliary tool. This opens the question of the structure of the 
model, namely its theory; conversely one may investigate whether, given a theory 
such as bisimulation theory of objects m, a filter model can be devised such 
that the theory is complete w.r.t. that model. 

An obvious task is investigation of subtyping: if we consider the containment 
induced by type interpretation in section 0 this is subtyping in depth and width; 
but a simple and direct correspondence with subtyping in object calculi is un- 
likely. If instead of containment semantics one consider the coercion semantics of 
subtyping (see e.g. 1231 . chapter 10), however, our framework looks more promis- 
ing: it is also tempting to consider the retraction as types proposal by Scott m, 
and see what happens. 

Finally, looking for some practical application, it should not be difficult to 
find out a type reconstruction method based on the notion of principal types, 
even if, of course, the typability of normalizing objects is undecidable in our 
system. Also it is worthy to see whether certain abstract interpretation and 
static analysis techniques based on type systems (see e.g. |24I13I1 ij l carry over 
to object calculi using our approach. 
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Abstract. A new proof of strong normalization of Parigot’s (second 
order) A/r-calculus is given by a reduction-preserving embedding into 
system F (second order polymorphic A-calculus). The main idea is to 
use the least stable supertype for any type. These non-strictly positive 
inductive types and their associated iteration principle are available in 
system F, and allow to give a translation vaguely related to CPS trans- 
lations (corresponding to the Kolmogorov embedding of classical logic 
into intuit ionistic logic). However, they simulate Parigot’s /r-reductions 
whereas CPS translations hide them. 

As a major advantage, this embedding does not use the idea of reducing 
stability ^ <!>) to that for atomic formulae. Therefore, it even 

extends to non-interleaving positive hxed-point types. As a non-trivial 
application, strong normalization of Ap-calculus, extended by primitive 
recursion on monotone inductive types, is established. 



1 Introduction 

A^-calculus m essentially is the extension of natural deduction by “reductio 
ad absurdum” (RAA), i. e., by a term formation rule corresponding to stability 
{-•-•p — f p, also called “duplex negatio affirmat”) and by rewrite rules for the 
simplification of the application of elimination rules to RAA (in the case of — >■- 
elimination this corresponds to the fact that the stability of p —>■ cr is derivable 
from that of a) . 

In |14) — besides a direct proof of strong normalization via saturated sets — 
we find a reduction of the proof of strong normalization of Ap-calculus to the 
well-known strong normalization of system F. The proof is quite intricate since 
the considered CPS translation maps the RAA redexes and their contracta to 
the same term, and hence needs additional arguments on RAA reductions alone 
to guarantee strong normalization of the whole calculus. 

Since these p-reductions have the flavour of iteration (the application occurs 
in the contractum in a controlled fashion), it has been tempting to explain p,- 
reductions via inductive types. This is achieved by studying the “stabilization” 

* I am grateful for an invitation to present a preliminary version of the present results 
at the “Seminaire Preuves, Programmes et Systemes” at Paris VII in October 2000. 

S. Abramsky (Ed.): TLCA 2001, LNCS 2044, pp. 329-|^^ 2001. 
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Up of any type p. It is the least stable type (i. e., there is a constant of type 
-i-iUp — ^ Up) such that p is included in Up- From the minimality, we get an 
iteration principle which in fact simulates p-reductions and therefore illustrates 
nicely what can be achieved with non-strictly positive inductive types. 

There is an even easier embedding into system F 0 which exploits the fact 
that the elimination rules deconstruct the type to be eliminated. Our approach 
is not based on this observation, and it even turns out that also type concepts 
can be treated where this observation cannot be made any longer, i. e., where the 
elimination does not deconstruct the type to be eliminated. This is exemplified 
with the addition of non-interleaving positive fixed-point types. It is very un- 
likely that they can be embedded into system Fim. Therefore, we cannot expect 
to get an embedding into system F but we do get an embedding into system F 
augmented with those fixed-point types, p-reductions for fixed-point types still 
have a connection between the type eliminated and the result type. This is not 
true of primitive recursion: The inductive type and the type of results of the 
functional defined by primitive recursion may be completely unrelated. Never- 
theless, we can also treat this extension. Firstly, the most general formulation 
of primitive recursion is introduced: primitive recursion on monotone inductive 
types. Secondly, an embedding into non-interleaving positive fixed-point types 
is established, which moreover interacts nicely with p-reductions. Therefore, we 
can even prove that Ap-calculus with primitive recursion on monotone inductive 
types (and p-reductions for every type construct) is strongly normalizing. 

The next section recalls system F, in section 3 we review Ap-calculus and 
discuss variations on the definition. Section 4 presents the stabilization Up and 
the associated iteration principle and explains it via an impredicative encod- 
ing, whereas in section 5 this system becomes the target of an embedding of 
Ap-calculus. Substitution lemmas are proven in great detail in order to give a 
feeling for the embedding. Fixed-point types are introduced in section 6, and the 
embedding of the previous section is extended to cover fixed-point types (in any 
of the systems studied before). This extension is astonishingly straightforward. 
In the final section 7 monotone inductive types with primitive recursion are 
described. A new embedding of monotone inductive types with primitive recur- 
sion into non-interleaving positive fixed-point types gives the final normalization 
theorem. 



2 System F 

We consider system F (see e. g. |S|) only with function types and universal types, 
i. e., we have infinitely many type variables (denoted by a, /3, . . . ) and with 
types p and a we also have the function type p — >■ cr. Moreover, given a variable 
a and a type p we form the universal type Vap. The V binds a in p. The renaming 
convention for bound variables is adopted. Let FV(p) be the set of type variables 
occurring free in p. 

The terms of F are presented as in |Sj, i.e., without contexts and with fixed 
types (see ^ p. 159] for comments on this original typing a la Church). We 



Parigot’s Second Order A/r-Calculus and Inductive Types 331 



have infinitely many term variables with types (denoted e.g. by x^), lambda 
abstraction (Ax^r°’)'’“^°’ for terms binding in term application s^Y , 

lambda abstraction for types (under the usual proviso that a ^ FV(ct) 

for any x®’ free in r^) and type application We freely use the 

renaming convention for bound term and type variables of terms, and moreover 
omit type superscripts of the terms. We do this even in case of typed variables 
which are in fact pairs of variable names and types, but only if the type can be 
reconstructed from a lambda abstraction binding a variable with the same name. 
(The interested reader may consult the discussion of these issues in |ZI sections 
2.1.2 and 2.2.6.].) Instead of r'’ we often write that r has type p or even r : p. 
We let application associate to the left and write Ax^.r to avoid parenthesizing 
of r. 

Beta reduction > for system F is as usual given by 

(/3_>) (Ax'’r)s [> r[x^ := s] 

(/3v) (Aar)a [> r[a := a] . 

Here, we used the result r[x^ := s] of the capture-free substitution of the typed 
variable x^ by the term s of type p in r and the result r[a := a] of the capture- 
free substitution of the type variable a by the type cr in r. The reduction relation 
— >■ is defined as the term closure of O. The main theorem on F (due to Girard) 
is that — > is strongly normalizing, i. e., there are no infinite reduction sequences 
ri — > T 2 — t X 3 — >■ • • • (In ^ all the definitions and lemmas are given quite 
carefully so as to make sure that the main theorem can also be proved in this 
presentation without contexts.) 

3 Second Order A^t-Calculus 

We present Ap-calculus H2] not with sequents but in the same style as system F. 
Although A/i-calculus extends system F by the classical law of reductio ad absur- 
dum, there is neither falsity nor negation in the type system. Hence, we keep the 
type system of F. However, there is a second kind of variables (called p-variables 
in US). denoted by a, 6, c, . . . They are also paired with types, e.g. a'’, whose 
interpretation is the assumption of the negation of p. 

The term system is essentially that of F, extended by the rule of reductio ad 
absurdum: p.a'^ .[b^jr^ is a term of type cr, binding a'^ in [b^jr^. The latter is no 
term but will be called a named term as in H2|. 

The named term \b^] is to be understood as the application of the p- variable 
b ^ — assuming the negation of p — to the term r proving p. Hence, b^ is free in 
[b^]rP. Moreover, a named term would prove falsity (if it were a legal term and 
falsity were included into the type system), hence gives falsity under the 

assumption of the negation of tr, expressed by the bound variable a'^. Reductio 
ad absurdum yields cr, hence justifying the type assignment for pa'^ ,[b^]rP . 

As a word of caution, is not a term and not legal for lambda abstraction. 
(Although we allow renaming of bound variables without explicit mention, we 
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have to keep to the same sort: either normal variable — called A- variable in m- 
or /i- variable.) 

The beta reduction relation t> of system F is extended by /i-reductions as 
follows: 



(mv) 



.r)a O x^°‘p .[ a^°-P\ 



-- [^](a^s) 

X := \b]{x(j) 



xP\aP]x := 



denotes the result 



Here, r is always a named term, and r 

of replacing inductively (bottom-up) in r each subexpression of the form [a^\u^ 
by \b’^]{t[xP := u]) for any term u of type p binds x^ in this substitution 

notation, especially in t). In fact, this is only another notation for the same 
substitution concept in |1 2\ . 



Remark 1. For our present purposes it seems that this unusual notion of sub- 
stitution cannot be avoided. If we had type _L, we could formulate reductio ad 
ahsurdum without reference to /x-variables: Write -<p for p — > _L and extend F 
only by terms px^^ .r-^ of type p which bind x^^ in r. (We do not need the extra 
concept of named terms since we simply have x^^r^ of type _L instead of some 
named term [a^]r^.) Now, we can extend > of system F by 

(p_>)' O ,r[x^^P^'^^ := .y{zs)] 

{pvY {px~''^°‘P .r)a O := Xz'^°'P.y{za)] . 

This formulatioiQ only needs standard substitution and is obviously slightly 
more general than Xp (Xp imposes a stronger discipline on term formation). 
By the method of saturated sets, it is possible to show strong normalization of 
the term closure — >■ of l>. Of course, this requires an appropriate formulation of 
the notion of saturation. Moreover, we would reprove strong normalization of F 
instead of using this fact via an embedding into system F. Unfortunately, our 
embedding shown below does not extend to this reformulation which in some 
sense abuses the function types (via negation) for the explanation of reductio ad 
absurdum. Therefore, we abandon this reformulation. 

Another approach to avoid the peculiar substitution is taken in El PP.17- 
20] and 0: Instead of named terms [a]r, we have responses/commands [C\r 
(resp. (r | C)) where C is a stack of terms with a p-variable a at the bottom. 
This more general view of continuations/contexts allows to define the equality 
relation associated with p-reduction by help of ordinary substitution. While 
this is sufficient for the study of equality in ESI, we are interested in strong 
normalization. Hence, also the call-by-value and call-by-name formulations in 
|E] which are possible with ordinary substitution do not suffice. 

Second order Ap-calculus is strongly normalizing m 

^ It amounts to a A-calculus notation for classical natural deduction in the style of 
Prawitz ESI. 
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4 Extension of F by Iteration on Stabilization 

If -1-1/3 — ?> p is provable, then p is called stable. We consider an extension F** 
of system F by a least stable supertype jjp for any type p. This is expressed 
as follows: We add a type constant _L for falsitj0 (and set ^p ■— p ^ _L) and 
for every type p we assume the type fp (U is a unary type former) called the 
stabilization of p. 

The term system reflects that ftp is stable, that p embeds into jjp and that Dp 
is the least type with these properties!! We assume constants ly of type p — >■ Dp 
and 5'ijp of type -i-iDp — t Dp add a term formation rule: If r has type Dp, t is 
a type and si : p — >■ r and S2 '■ ~'~'T — >■ r then rErSiS2 is a term of type t. 

r : Dp Si : p ^ t S2 ■ ~<~'T — >■ r 

djp : p -t Dp Sfip : -i-iDp -t Dp rErSiS 2 : r 

Extend > of system F by 

iU) {Itpr)ErSiS2 > Sir 

(DS') {Sf^pr)ErSiS2 > S2(^Xy^^.r{Xz‘^P.y{zErSiS2))'j ■ 

In the second rule, we assume that and z^^ do not occur free in si or S 2 - Let 
— be the term closure of >. Clearly, it enjoys subject reduction, i. e., if — >■ s°’ 

then p = a. 

The presently defined system F** will be called F with iteration on stabiliza- 
tion. Let F''* be F extended only by the type constant T. Trivially, F"*" inherits 
strong normalization from F since we consider neither a term formation nor a 
rewrite rule for T. 

Definition 1. A type-respecting reduction-preserving embedding (embedding for 
short) of a typed term rewrite system S into a typed term rewrite system S' is 
a function (the — sign represents the indefinite argument of the function ' ) 
which assigns to every type p of S a type p' of S' and to every term r of type p 
of S a term r' of the (image) type p' of S' such that the following implication 
holds: If r ^ s in S, then r' — >■+ s' in S' . (^— E*" denotes the transitive closure of 
^■) 

Obviously, if there is an embedding of S into S' , then strong normalization of 
S' is inherited by S. 

^ T is just some constant: We do not assume an elimination rule expressing ex f ahum 
quodlibet. 

^ The author has recently been informed that already jH p. 110] describes a similar 
idea: An inductively defined predicate may be “made classical” by adding stability 
as another clause to the definition. This turns the definition into a non-strictly 
positive one and enforces stability. Note, however, that non-strictly positive inductive 
definitions lead to inconsistencies in higher-order predicate logic, see the example 
reported in HSl p. 108). In the framework of system F, we are in the fortunate 
situation that arbitrary types may be stabilized without harm to consistency. 
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Lemma 1. There is an embedding of into F^. 

Proof. By the very description, jjp is nothing but the non-strictly positive induc- 
tive type fj,a.p + -<-<a with a ^ FV(p), formulated without the sum type (do not 
mix up the notation pap for inductive types with par for reduetio ad absurdum). 
Its canonical polymorphic encoding would be Va.((p-F -i-ia) — > a) — >■ a which 
can be simplified to 'ia.{p — >■ a) — >■ — >■ a) — >■ a. 

By iteration on the type p of F** define the type p' of F^. This shall be done 
homomorphically in all cases except: 

(jlp)' := 'ia.{p' — a) — >■ (-i-ia — >■ a) — >■ a 

with a FV(p). Clearly, FV(p') = FV(p) and {p[a := a])' = p'[a := a']. 

By iteration on the term r : p of F** define the term r' : p' of F^. (Simulta- 
neously, one has to show that the free variables of r' are the with free in 
r.) We only consider the non-homomorphic cases. 

(/jjp)' := Aa:^ Aa\x^ .XiX 

(S'up)' := AaXxl \x2~^°‘^°' .X2{Xy~^'^ ■ x{Xz^'^p'>' . y{zaxiX2)^ 

(rif^siS2)' := r'T's'is '2 ■ 

Since {r[xP := s])' = r'[xP' := s'] and {r[a := p])' = r'[a := p'j, this translation 
respects (/?->.) and (/3v)- K is a trivial calculation to prove that 

((/ljpr)£;^siS 2 )' (sir)' and 

(^(S'tjpr)F;^siS2) (^S2(^Xy"'" .r{Xz'^P.y{zErSiS2))"j^ ■ 

(We use — to express n steps of — >■.) Therefore, — ' is indeed an embedding. □ 



5 Embedding Second Order A/.t-Calculus into F with 
Iteration on Stabilization 



In contrast to the proof of strong normalization of second order Ap-calculus in 
| Fnn| by a CPS translation which maps the terms to the left and the right side of 
(p_>) and (pv) to the same term, respectively, and therefore needs an additional 
argument for the strong normalization of (/r_>.) and (py) alone (without (/3->.) 
and (A/)), our translation given below also simulates those p-reductions and 
hence is an embedding. Note, however, that presents an embedding which is 
even easier — the only non-homomorphic rule is (Vap)' := 'ia.{-<-<a — >■ a) — > p' — 
but which heavily uses the fact that stability may be proved for those translated 
types from stability of their free type variables. This will rule out the extension 
to fixed-point types to be studied in the next section. 

Define the type p* of F** by iteration on the type p of second order Ap-calculus 
(in the sequel denoted by Xp) as follows: 



a* 

(p^ cr)* 
(Vap)* 



Va#p* 
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By induction on p one verifies that {p[a := cr])* = p*[a := a*] and FV(p*) = 
FV(p). 

The type translation of our embedding is given by p' := jlp*. Therefore, 

a' = jja 

(Vap)' = tt(Vap') 

and {p[a := a])' = p'[a := cr*], and also FV(p') = FV(p). 

Of course, p' could have been defined directly by iteration on p without 
reference to p* . However, the substitution property would not have looked so 
natural. Note that if we had used ~<~'P instead of jlp everywhere in this definition, 
we would have arrived at Kolmogorov’s negative translation used in [3I14| (the 
corresponding term translation would have been a translation in continuation- 
passing style). 

By iteration on the term r : p of \p define the term r' : p' of F**. (Simul- 
taneously, one has to show that the free variables of r' are the with a 
free normal variable in r and the a~'‘* with o'* a free p- variable in r. Hence, we 
assume that the names of the p- variables are also names of variables of our F**.) 

(a;'’)' := xP 

{XxPr'^y := I(^p^„y{XxP' r') 

{rP^'^sPy := r'EaiXzP'^’^' .zs')S^> 

{AarPy := I(yapy{Aar') 

{r^°‘Pay := r'E(^p[a:=a]y{Xz'^°‘P'.Za*)S(^p[a~a]y 
{pa'^ .[bP]rPy ■= S^yXa^'^' .h-^P' r') 

In the third clause, we assume that zP^‘^ is not free in s. Note that the fourth 
clause is legal since the proviso on the formation of Aar' is fulfilled by our 
statement which is proved simultaneously with the definition. The substitution 
property (p[a := a])' = p'[a := cr*] is heavily used in the fifth clause. Finally 
observe that no definition is given for a' since a is no term. 

It will now be useful to treat named terms as if they were terms. Therefore, 
the sixth rule decomposes into: 

{[hP\rPy ■= b~^p'r' : T 

(pa<*.r)' := S'„/(Aa^‘*'.r') 

Lemma 2. {r[xP := s])' = := s'] and {r[a := p])' = r'[a := p*]. 

Proof. Induction on r. □ 

Corollary 1. ((Aa:''r)s)' — (r[a;'' := s])' and ((Hcrr)cr)' — (r[a := cr])'. 

Let — >■* denote the reflexive transitive closure of — >■. 

Lemma 3. r'[a~^P := XxP .6“’'* t'] — >■* (r[x'’.[a'’]a: := [6"]t])^ for t of type a. 
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Proof. By induction on named terms and terms r. (“Special” substitution can 
readily be extended to terms r.) We show the only non-trivial case where r has 
the form hence with the same /i- variable a^. The left-hand side becomes 

{XxP' .b^^'t')s'[a^p' := XxP'.b^'^'t']. 

One beta reduction step yields 

b'^'^'t'lxP' := s'[a-^P' := Xx^' t'] . 

By induction hypothesis, 

s'[a-p' := XxP' .b'^'^' t'] {s[xP.[aP]x := [6'"]t])'. 

Hence, — >■* leads to 

b-^'^'t'lxP' := {s[xP.[aP]x := [W]t])' . 

By the previous lemma, 

t' x^ := iys[x^.[a^]x := x^ := s[x^.[a^]x := [b'^]f\ j . 

To sum up, the left-hand side is in relation — >■* to 

{[b'^]t[xP := s[xP.[aP]x := [ 6 '"]^])' 

which is the right-hand side by the definition of “special” substitution. □ 

Theorem 1. — ' is an embedding of Xfj, into fK 

Proof. We only check that /r-reduction steps give rise to at least one rewrite 
step of F with stabilization. Since we already convinced ourselves that there are 
no problems with types, we will neglect the types altogether. As an additional 
benefit, we may treat both /i-reductions uniformly (and will later profit from 
this uniformity in the extension by fixed-point types). Write R for a term or a 
type. Define the term or type R as follows: f := r' and p := p*. The ^-reduction 
rules now both become: 

{pa.[c]r)Rl> ph.{[c\r)[x.[a\x := [6](xi?)]. 

Moreover, we uniformly have {rR)' = r' E(Xz.zR)S. Therefore, 

{{pa.[c\r)R)' = {S{Xa.cr'))E{Xz.zR)S 

and one application of (IIS') leads to 

S (^Xb.(Xa.cr') ^Xx.b{xE{Xz.zR)S)J^ = S ^A6.(Aa.([c]r)')(Aa;.6(xi?)^)^ . 
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One beta reduction step yields 



iS'^A6.([c]r)'[a := Xx.b{xR)']^ — >■* S'^A6. ^([c]r) [a;.[a]a; := [6](xi?)]^ ^ 

by the previous lemma. This is (jj,b.([c]r)[x.[a]x := [&](a:i?)]) . □ 

Hence, second order A/i-calculus has been proven to be strongly normalizing once 
more since also F** has been embedded into the strongly normalizing system F"*" . 

6 Extension to Fixed-Point Types 

We extend each system by non-interleaving positive fixed-point types: system 
F, system F** (with iteration on stabilization) and second order A/r-calculus. Our 
aim is to extend the embedding of A/i via F® into F"*" to the variants , F®-^ 
and F^^ with those fixed-point types. 

System F with non-interleaving positive fixed-point types (in the sequel called 
F-^) essentially has been studied in ^ under the name ifret) and its strong nor- 
malization shown by an embedding into Mendler’s system m- A direct proof 
of strong normalization by saturated sets has been given in (3 under the name 
NPF. There is strong evidence that no embedding into system F exists mi. 

We now extend system F by types fap which are supposed to describe ar- 
bitrary fixed-points of Xap, i.e., of the operation a i— >■ p[a := a]. We confine 
ourselves to (non-strictly) positive dependencies which moreover have to be non- 
interleaved, i.e., fap may only be formed when every occurrence of a in p is 
“to the left of an even number of — and not free in some subexpression //3cr 
of fap. The last clause may be rephrased as follows: If fixed-point types fficr 
are formed with a free parameter a then the formation of a fixed-point type 
fap — hence w.r. t. that parameter a — is forbidden^ More formally: 

Definition 2. We inductively define the set Tnpf of non-interleaving positive 
fixed-point types and simultaneously for every p G Tnpf the sets fV_|_(p) and N-(p) 
of type variables which occur only positively or occur only negatively, respectively, 
and moreover do not occur in the scope of a fixed-point type formation (the set 
FV{p) of free type variables is defined as before with the additional FV{fap) := 
FV{p) \ {a}). Let always range p over the set {-I-, — } of polarities and set — h := 
— and := -F. Let TV be the set of type variables. 

a G Tnpf. N+{a) := TV. N_{a) := TV\ {a}. 

If p, a e Tnpf then p — >• tr G Tnpf and Np{p — >• cr) := A^_p(p) n Np{a). 

If P ^ Tnpf then Vap G Tnpf and iVp(Vap) := Np{p) U {a}. 

If P G Tnpf and a G iV+(p) (the only place where the Np{p) enter the condi- 
tions) then fap G Tnpf and Np{fap) := TV\ FV{fap). 

Note that otherwise there would be a very high degree of freedom in the interpreta- 
tion of fap since f!3a is intended only to model an arbitrary fixed-point. 
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Note the change of the polarity in the second rule which substantiates the slogan 
that a’s occurrences may only be to the left of an even number of In the last 
rule we achieve non-interleavedness by removing any free variable of fap. 

It is somewhat awkward to prove that Tnpf is closed under substitution jSl 
p. 303] . Since it nevertheless holds, we may extend system F to Tnpf and moreover 
add the following term formation rules: If t : p[a := fap] then Cfapt : fap. If 
r : fap then rEf : p[a := fap]. 

t : p[a := fap] r : fap 

Cfapt ■■ fap rEf : p[a := fap] 

Beta reduction for fixed-point types will extend > of F by 



i^f) (Cfapt)Ef > t . 

This constitutes F-^. It has been mentioned above that the term closure of l> is 
strongly normalizing, i. e., F^ is strongly normalizing. Let F"*"-^ be its extension 
by the type constant _L. As before, strong normalization is inherited. 

Likewise extend system F® by non-interleaving positive fixed-point types to 
yield system We also write Tnpf for its set of types which additionally has 
the rules: 



A e Tnpf. Np{±) := TV. 

If p G Tnpf then ftp G Tnpf and Ap(jlp) := Np{p). 

We may now add the same term formation rules and (/?/) as above. It is clear 
that the embedding of F** into F^ immediately extends to an embedding of F**-^ 
into F'*'-^: one only has to add homomorphic clauses for the new type former and 
the new term formation rules. (Note that {p[a := fap])' = p'[a := (fap)'] = 
p'[a := fap'] indicates that the new type former does not pose any problem 
with the embedding.) 

Ap may as well be extended to the types Tnpf (the original definition). We 
again add the two term formation rules and {(3f) but also a p-rule pertaining to 
the fixed-point types: 



(p/) {pat°‘P.r)Ef > pbPT=f°‘P]_r xf°'P.[at°‘P]x := [b]{xEf) 



with r a named term. It strictly follows the pattern given in the proof of The- 
orem □ if we also consider Ef as a possible value of R. Hence, the p-reduction 
rules are still uniformly described by (the untyped pattern) 



(pa.[c]r)ii l> p,b.{[c]r)[x.[a]x := [b]{xR)]. 

The resulting system shall be denoted by XpC Let us extend the embedding of 
section Define the type p* of F**-^ by iteration on the type p of Ap^ as follows 
(and simultaneously prove that Np{p*) = Np{p) and FV(p*) = FV(p)): 



a 

(p ^ cr)* 
(Vap)* 
ifap)* 



ttp* ^ tiT 
Valip* 

fa Up* 
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The last clause is legal since a G N+{p) = N+{p*) = N+{‘^p*) by the simultane- 
ously proved statement. 

By induction on p one again verifies that {p[a := a])* = p*[a := a*]. 

Again set p' := tip* which implies that (fapY = tt(fap'). Also we still have 
(p[a = a])' = p'[a ~ a*] and FV(p') = FV(p) 

The previous translation of the terms is extended by clauses for the new 
term formation rules. If we set A/ := A/, then the crucial rule follows the usual 
(untyped) pattern: 

(ri?)' := r'E{\z.zR)S 

The new rules are 

:= lucpyiCf^pd') 

{rf^^PEfY := -zEf)S(^p[^.,^f^p]y 

Notice that the first term is well-typed since t' : (p[a := fap]Y and 

{p[a := fap]Y = p'[a := {fap)*] = p'[a := fap']. 

The crucial equation {p[a := fap\)' = p'[a := fap'] also justifies the second 
definition. 

Theorem 2. is an embedding of Xp,^ into 

Proof LemmaQand Lemma0clearly still hold, {{Cfapt)EfY — (Cfap't')Ef 
t', and the treatment of (/i/) is already captured by the uniform proof of Theo- 
rem^ □ 

Corollary 2. The system Xp^ of second order Xp-calculus with non-interleaving 
positive fixed-point types is strongly normalizing. 

Remark 2. There seems to be a widespread belief that in some sense p-reductions 
are nothing but an exploitation of the fact that stability of a type may be proved 
from the stability of its atoms. This immediately works for first-order Ap-calculus 
(only function types) since the stability of p — >■ cr is derivable from stability of 
a. Since also the stability of Vap is derivable from that of p, one may expect 
that the universal quantifier also is well-behaved. But notice that the set of 
atoms (type variables) varies with quantification. Nevertheless, it is possible to 
give an embedding on grounds of this view . As remarked in the introduction 
to section 0 the crucial clause is (Vap)' := — >■ a) — >■ p', hence a 

relativization which neatly solves the problem. 

What is the problem with fixed-points? It is again possible to derive the 
stability of fap from that of p[a := fap]\ 

Xvr^P^°''=f°‘p'^^P^°''=^'^P'^Xx-^^^°'P.Cfo,p{u{Xy-^P^'^'=f'^Plx{Xzf°'P.y{zEf)))). 

But the latter type is usually more complex than the former! Therefore, I do 
not see a way to extend the idea of reducing the proof of stability to that of the 
free type variables. How could one define stability proofs for p' by iteration on 
p with some easy translation — '? Our embedding shown above does not at all 
care about such a definition since every p' is stable by construction. 
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Remark 3. One could ask for other type constructions where stability is not in- 
herited from the constituent types. It is well-known that sum types (disjunction) 
provide an example of this phenomenon. Unfortunately, the embedding into F** 
does not extend to sum types with permutative conversions but only without 
them. A solution could be to introduce permutative conversions for the stabi- 
lization types. At present, we could as well take the impredicative encoding of 
sums and also get the respective ^-reduction for free (inside A/i) . This idea will 
be demonstrated in the next section for the more interesting case of monotone 
inductive types with primitive recursion. 

7 Second Order A/.t-Calculus with Primitive Recursion 
on Monotone Inductive Types Is Strongly Normalizing 

Inductive types are a syntactic representation of least pre-fixed-points of op- 
erations a H> p[a := tr]. Typically, they are studied as long as a only oc- 
curs positively in p. (Often, even interleaving is ruled out.) Nevertheless, it 
turned out dSl sect. 6.3 in chap. 2] that the only needed ingredient for a use- 
ful notion of inductive type is a monotonicity witness, i.e., a term of type 
VaV/3.(a — >■ /3) — >■ p — >■ p[a := (3] (in ^ monotone specifications are consid- 
ered instead) . If those terms are not given beforehand but incorporated into the 
term system they even do not need to be closed in order to guarantee strong 
normalization of the rewrite rules associated with them fZ]- There is a choice 
whether the monotonicity witnesses are attached to the introduction rule or to 
the elimination rule which is primitive recursion. In both cases one has strong 
normalization , in the second case this even has been shown by an embedding 
into system 0. However, for practical purposes the first variant seems more 
adequate. Fortunately, it also embeds into system F-^ which will be the key to 
this section’s result. 

Recall that the product type p x cr may be impredicatively encoded in system 
F by p X cr := Va.(p —>■ cr —>■ a) —>■ a for a ^ FV(p) U FV(cr). If r : p and s : a 
then (r, s) := .zrs : p x a. 

Second order A/i-calculus with primitive recursion on monotone inductive 
types (in the sequel denoted by Ap^) is defined as an extension of second order 
Ap-calculus by arbitrary types pap (p binds a in p) and by the following term 
formation rules: 

If m : VaV/3.(o; j3) ^ p ^ p[a := (3] and t : p[a := pap] then C^ap'mt : pap. 

If r : pap and s : p[a := pap x cr] — >■ cr then rE^us : a. 

m : VaV/3.(a f3) ^ p ^ p[a := /?] t \ p[a := pap] 

■ pap 

r : pap s : p[a := pap x cr] — cr 
rE^as : cr 

The associated beta reduction rule of primitive recursion is 
{j3p) {Cfj,apmt)Efj,as O s(jn{pap){pap x a) {Xx^°‘f‘.xEfj^as)x)JtJ 
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The /i-reduction rule (/x in the sense of Parigot) follows the standard pattern if 
we now even allow R to be E^as: 






.r)E^as \> .r 






[h]{xE^cjs) 



Again, r denotes a named term in this rule. Note that a is not at all related to 
^ap. 

Theorem 3. There is an embedding of into . 

Proof, p' G %ipf is defined by iteration on p. The only non-homomorphic clause 
is that for pap: 

{papY := ffN"f.(^(ya.{f3 x 7 — >• a) — p' j — >• 7 ^ — >• 7 . 

We assume that /3 , 7 ^ {a} U FV(p). In fact, the only occurrence of /3 is 6 times 
to the left of — >■ (do not forget that the coding of /3 x 7 provides 2 of them). It 
is easy to see that {p[a := ct])' = p'[a := a'] and FV(p') = FV(p). 

The translation of the terms is also defined homomorphically, with the ex- 
ception of the two clauses for monotone inductive types: 

m'{papYa(^Xx^^°‘^^ .u{x, {Xx^^°'^^ .xEf^z)x)'jt'^^ 

and 

{rE^asY := x 



Since {r[xP := s])' = r'[x^ '■= s'] and {r[a := p]Y = r'[ct '■= p'], also this 
translation respects (/3-s.) and (/?y). It is an interesting exercise to prove that 
also is simulated. 

Since the other term formation rules including reductio ad ahsurdum are 
translated homomorphically, we may set := \b^ ]r' and hence have a 

translation also for named terms. Consequently, {pa'^ .rY = pa'^ .r' with r a 
named term. In order to treat the /x-reduction rules we need (r[x.[a]a; := [b]t]Y = 
r'[x.[a]x := \b]t'] for named terms r, but this is proved for named terms and for 
ordinary terms r simultaneously by induction on the size of r. 

By induction on natural numbers n, one easily gets (only with /x-reductions) 
that 

{pa.r)Ri . . . Rn — >■" pb.r[x.[a]x := [b]{xR\ . . . i?„)j 

(where i?i, . . . , i?„ are terms or types or objects of the form E^as). Of course, 
this is compatible with the typing requirements. 

Therefore, also {pp) is simulated: 

{{pa.r)E^(Ts)Y = {pa.r')E fu' {Xz " .s' . . .) — 

pb.r'[x.[a]x := \b]{xEfa' {Xz'" .s ' . . .))] = pb.r'[x.[a]x := \b]{xE^asY] = 
pb.{r[x.[a]x := f)]{xE^asY\Y = {pb.r[x.[a\x := f)]{xE^asY\Y . 

The other /x-reductions are treated slightly easier. □ 
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Remark 4- There is no hope for an embedding in the style of the previous section 
with fixed-point types replaced by inductive types, i. e., for a direct embedding 
of A/i^ into F**, extended by primitive recursion on monotone inductive types. 
Firstly, the function spaces are overly used for the purpose of defining the typing 
for rE^as. Secondly, if we replaced it by 

r : flap Sq : o 

: <T 

where is bound in sq, we cannot use {p[a := pap x cr])' since x 

is encoded. Assume it were explicitly included into the system. Then we would 
get {p[a := pap x a])' = p'[a := {pap x ct)*] = p'[a := {pap)' x a']. But we 
would need pap' instead of {pap)' . And this would have to be lifted with a 
monotonicity witness for p' w. r. t. a. But we do not even have a monotonicity 
witness for pap at hand since those only come with the introduction rule for 
pap. Consequently, we first have to get rid of the inductive types (in favour of 
fixed-point types) before we can attack reductio ad ahsurdum. 



Corollary 3. Second order Xp-calculus with primitive recursion on monotone 
inductive types is strongly normalizing. 

8 Conclusions and Future Work 

An alternative to the Kolmogorov translation of classical logic into minimal logic 
has been presented which simplifies proofs of normalization for a classical version 
of A-calculus (Parigot’s \p). The translation using stabilization types properly 
simulates Parigot’s ^-reductions and carries over to extensions of system F. The 
logical reading of the main theorem gives consistency for classical second-order 
propositional logic with “extended induction” on monotone inductive proposi- 
tions (where extended induction is given by reading the typing rule for as an 
inference rule of natural deduction). 

On the computational side, the result gives an application of iteration on 
non-strictly positive inductive types. However, the exact nature of the compu- 
tation involved in this translation should be further studied. Does it exemplify 
a programming style comparable to continuation-passing style? Moreover, does 
the method help in understanding other A-calculi for classical logic such as sym- 
metric A-calculus? 
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Abstract. In this paper, we introduce a new type system, the Implicit 
Calculus of Constructions, which is a Curry-style variant of the Calculus 
of Constructions that we extend by adding an intersection type binder — 
called the implicit dependent product. Unlike the usual approach of Type 
Assignment Systems, the implicit product can be used at every place in 
the universe hierarchy. We study syntactical properties of this calculus 
such as the /3?7-subject reduction property, and we show that the implicit 
product induces a rich subtyping relation over the type system in a nat- 
ural way. We also illustrate the specificities of this calculus by revisiting 
the impredicative encodings of the Calculus of Constructions, and we 
show that their translation into the implicit calculus helps to reflect the 
computational meaning of the underlying terms in a more accurate way. 



1 Introduction 

In the last two decades, the proofs-as-programs paradigm — the Curry-Howard 
isomorphism — has been used successfully both for understanding the compu- 
tational meaning of intuitionistic proofs and for implementing proof-assistant 
tools based on Type Theory. Since work of Martin-L6f in the 70’s, a large scale 
of rich formalisms have been proposed to enhance expressiveness of Type The- 
ory. Among those formalisms, the theory of Pure Type Systems (PTS) 120 plays 
an important role since it attempts to give a unifying framework to what seems 
to be a ‘jungle of formalisms’ for the one who enters for the first time into the 
field of Type Theory. Most modern proof assistants based on the Curry-Howard 
isomorphism such as Alf Coq jSLLEGO ^Dj or Nuprl |Z| implement a 
formalism which belongs to this familyo 

Despite of this, PTS-based formalisms have some practical and theoretical 
drawbacks, due to the inherent ‘verbosity’ of their terms, which tends to over-use 

^ Formerly called Generalized Type Systems. 

^ In fact, this is only true for the core language of those proof-assistants, since they 
also implement features that go beyond the strict framework of PTS, such as sigma- 
types, primitive inductive data-type declarations and recursive function definitions. 

S. Abramsky (Ed.): TLCA 2001, LNCS 2044, pp. .144- TCT 2001. 

© Springer- Verlag Berlin Heidelberg 2001 



The Implicit Calculus of Constructions 345 



abstraction and application, particularly for type arguments. This is especially 
true when compared with ML-style languages. 

From a practical point of view, writing polymorphic functional programs may 
become difficult since the programmer has to explicitly instanciate each poly- 
morphic function with the appropriate type arguments before applying its ‘real’ 
arguments. However, there are good reasons to write those extra annotations in 
a PTS. The first reason is that there is in general no syntactic distinction be- 
tween types and terms: type abstraction (type application) is only a particular 
case of A-abstraction (term application). Another reason is that without such 
type annotations, decidability of type-checking may be lost when the considered 
PTS is expressive enough. This is the case of system F for example nq. 

From a more theoretical point of view, the verbosity of PTS-terms also tends 
to hide the real computational contents of proof-terms behind a lot of ‘noise’ in- 
duced by all those type abstractions and applications. A simple example is given 
by the Leibniz equality which can be defined impredicatively in the Calculus of 
Construction^ by 

eq = XA : Set . Xx, y: A. UP : A — > Prop . P x ^ P x 
: ilA : Set . A — A Prop 

Using that definition, we can prove reffexivity of equality by the following term: 

XA : Set . Aa; : A . XP : A ^ Prop . Xp: P x .p : II A : Set . IIx : A . eq A a: a;. 

What is the computational meaning of this proof ? It is simply the identity 
function Xp.p. To understand that point, let us remove type annotations in all 
A-abstractions (since they play no role in the process of computation) to obtain : 

XA . Xx . XP . Xp . p : n A:Set . IIx \ A . eq A X X. 

The term above shows that the first three arguments are only used for type- 
checking purposes, and that only the fourth one is really involved in the compu- 
tation process. 

Many solutions have been proposed to that problem, both on the theoretical 
and practical sides. Most proof assistants (Coq |31 1 5] . LEGO m) implement 
some kind of ‘implicit arguments’ to avoid the user the nuisance of writing re- 
dundant applications that the system can automatically infer. 



A Common Practical Approach. Generally, implementations dealing with 
implicit arguments are based on a distinction between two kinds of products, 
abstractions and applications, which may be either ‘explicit’ or ‘implicit’. Al- 
though explicit and implicit constructions do not semantically differ, the proof- 
checking system distinguishes them by allowing the user to omit arguments of 
implicit applications — the ‘implicit arguments’ — provided the system is able to 
infer them. Such arguments are reconstructed during the type-checking process 



^ For an explanation about the distinction Prop/Set, see naragranh 12.11 
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and then silently kept into the internal representation of terms, since they might 
be needed later by the conversion test. 

The major advantage of this method is to keep the semantics of the original 
calculus — modulo the coloring of the syntax — since implicit arguments are only 
implicit for the user, but not for the system. Nevertheless, the user may some- 
times be confused by the fact that the system keeps implicit arguments behind 
its back, especially when two (dependent) types are printed identically although 
they are not internally identical, due to hidden implicit arguments. 

A Calculus with ‘Really Implicit’ Arguments. In 0, M. Hagyia and Y. 
Toda have studied the possibility of dropping implicit arguments out of the inter- 
nal representation of the terms of the bicolored Calculus of Constructions — that 
is, the Calculus of Constructions with explicit and implicit constructors. Their 
work is based on the following idea: if we ensure uniqueness of the reconstruction 
of implicit arguments (up to /3-conversion), then we can drop implicit arguments 
out of the internal representation of terms, since the /3-conversion test on im- 
plicit terms (z. e terms where implicit arguments have been erased) will give the 
same result as if performed on the corresponding reconstructed explicit terms. 

To achieve this goal, they propose a restriction of the syntax of implicit 
terms in order to ensure decidability and uniqueness (up to /3-conversion) of the 
reconstruction of implicit arguments. But their restriction actually seems to be 
too drastic, since it forbids the use of the implicit abstraction in order to avoid 
dynamic type-checking during /3-reduction p]. 



The Theoretical Approach of Type Assignment Systems. On the theo- 
retical side, many Curry-style formalisms have been proposed as ‘implicit’ coun- 
terparts of usual Pure Type Systems, such as the Curry-style system F 0. In |^, 
P. Giannini et al. proposed an uniform description of Curry-style variants of the 
systems of the cube, which they call the Type Assignment Systems (TAS) — as 
opposed to (Pure) Type Systems. This work follows the idea that from a purely 
computational point of view, polymorphic terms of the systems of the cube do 
not depend on their type arguments (this is called ‘structural polymorphism’). 
As a consequence, the authors define an erasing function from Barendregt’s cube 
to the cube of TAS, which precisely erases all the type dependencies in proof 
terms, thus mapping PTS-style proof-terms to ordinary pure A-terms. 

The major difference between this work and the approaches described above 
is that the implicit use of the dependent product is not determined by some 
coloring of the syntax, but by the stratification of terms. In other words, a 
dependent product of TAS is ‘implicit’ if and only if it is formed by the rule of 
polymorphism and, in all other cases, it is an ‘explicit’ product. Also notice that 
in the TAS framework, the erasing function does not only erase polymorphic 
applications, but it also erases polymorphic abstractions and type annotations 
in proof-term abstractions. 

It is interesting to mention that the (theoretical) approach of TAS raises 
the same problem as the (practical) approach of M. Hagiya and Y. Toda: if 
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the erasing function erases too much information, then it will identify terms 
which were not originally convertible. The isomorphism between ‘explicit’ and 
‘implicit’ formalisms is then irremediably lost. In the framework of TAS, this 
problem arises in the systems of the cube involving dependent types m- 



Towards Implicit Pure Type Systems. The main limitation of the ap- 
proach of TAS is that it restricts the ‘implicit’ use of the dependent product 
to polymorphism. If we want to generalize this approach to all PTS — which are 
not necessarily impredicative — it seems natural to equip them with an implicit 
product binder (written 'ix \ T .U). Such a syntactic distinction naturally discon- 
nects the kind of dependent product (explicit or implicit) from the stratification. 
Nevertheless, this approach raises two important issues: 

The first one is that the presence of an implicit product binder (which can be 
used at any level of the hierarchy) induces a deep change of the underlying se- 
mantics. In particular, the isomorphism between explicit and implicit formalisms 
is definitively lost. This is not necessarily a negative aspect: it simply means that 
in our approach, ‘implicit arguments’ are now really implicit, in the sense that 
they can no more be interpreted by some invisible applications or abstractions. 
(In particular, the domain-theoretical model described in [1 3] really interprets 
implicit products as intersections.) 

The other point raised by the introduction of an implicit product binder is 
that the arguments which may become really implicit (without jeopardizing the 
consistency of the system) have little to do with the arguments that today’s 
algorithms are able to infer (this will be illustrated by our examples in Sect.EI). 
For that reason, our approach has mostly a theoretical significance, especially to 
understand the computational meaning of proofs, but the formalism seems to be 
a bad candidate for being used practically in a real proof-checking environment. 

In the following, we will concentrate our study to the case of the Implicit 
Calculus of Constructions. However, our approach is general enough to be ex- 
tended to all the other PTS. In particular, most syntactic results of Sect. 3 can 
be generalized to what we could call Implicit Pure Type Systems. 



2 The Implicit Calculus of Constructions 

2.1 Syntax 

The Implicit Calculus of Constructions (ICC) — or, shortly, the implicit calcu- 
lus — is a Curry-style variant of the Calculus of Constructions with universes — 
a.k.a. ECC |0| — in which we make a distinction between two forms of dependent 
products: the explicit product, denoted by IIx'.T .U, and the implicit product, 
denoted by Vx :T .U . The syntax of sorts, terms and contexts is given in Fig. E 
We follow here the convention of the Calculus of Inductive Constructions CHI 
by making a distinction between two impredicative sorts : a sort Prop for propo- 
sitional types, and a sort Set for impredicative data types. However, both im- 
predicative sorts are isomorphic for the typing rules. 
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Sorts 


s 


::= Set | Prop | Type^ {i > 0) 


Terms 


M, N, T, U 


::= X 1 s 






1 nx:T.U 1 yx:T.U 






Xx.M \ M N 


Contexts 


r,A 


A 

j! 



Fig. 1. Syntax of the Implicit Calculus of Constructions 



Terms will be considered up to a-conversion. The set of free variables of a 
term M is written FV{M), and M{x := N} denotes the (external) substitution 
operation. Notice that the product binders Ux :T .U and 'ix:T .U bind all the 
free occurrences of the variable x in U, but none of the occurrences of x in T. 
The non-dependent explicit product Ux :T .U (where x ^ FV{U)) is written 
t/E We will also follow the usual writing conventions of the A-calculus by 
associating type arrows to the right, multiple applications to the left, and by 
factorizing consecutive A-abstractions. 

A declaration is an ordered pair denoted by {x : T), where a; is a variable and 
T a term. A typing context — or shortly, a context — is simply a finite ordered list 
of declarations denoted hy F = [x\ \ Ti\ . . . ] Xn '■ T„]. Concatenation of contexts 
F and A is denoted hy F] A. A declaration (x : T) belongs to a context F if 
F = Fi; [x : T];F 2 for some contexts A and A, that we write {x ■. T) G F. 
Contexts are ordered by 

— the prefix ordering, denoted by T IZ F', which means that F' = F; A for 
some context A; 

— the inclusion ordering, denoted by T <Z F' , which means that any declaration 
belonging to F also belongs to F' . 

If T = [xi : Ti, . . . ;Xn ■ A] is a context, the set of declared variables of F is 
the set defined by DV {F) = {xi ; . . . ; a:„}. We also extend the notations FV (M) 
and Mja; := iV} to contexts by setting 

FV{F) = FV{Ti)U---U FV{Tn) 
and F{x:=N} = [xi : Ti{x := N}; . . . Xn ■ Tn{x := 

the latter notation making sense only if a: ^ DV{F). Finally, we will write 
VZ\ . U = Wxi :Ti . ... Wxn '-Tn .U for any context A = [xi : Ti; . . . ; Xn ■ A] and 
for any term U . 



There is no equivalent notation for the non-dependent implicit product, whose mean- 
ing will be discussed in paragraph O 
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2.2 Reduction Rules 

As for the untyped A-calculus, we will use the notions of (i and ? 7 -reduction. (The 
need of the ? 7 -reduction rule, which is not assumed in the theory of Pure Type 
Systems, will be explained in paragraphs and For each reduction rule 
R G {/3; ri; /3r]}, we define 

— the one-step R-reduction, denoted — ?>_r, as the contextual closure of 

— the R-reduction, denoted — »_r, as the reflexive and transitive closure of ~^r', 

— the R- convertibility equivalence, denoted =r, as the reflexive, symmetric 
and transitive closure of -^r. 



Proposition 1 (Church- Rosser). The (3-, rj- and f3rj -reduction are Church- 
Rosser. 

In the strict framework of Pure Type Systems, the /Iry-reduction does not 
satisfy the Church- Rosser property 0, due to the presence of a type annotation 
in the A-abstraction. However, such a problem does not arise in the implicit 
calculus, since we use a Curry-style A-abstraction. 

As for the untyped A-calculus, any sequence of /3?7-reductions can be decom- 
posed as a sequence of /3-reductions followed by a sequence of r;-reductions. This 
is a consequence of the following lemma, which will be useful for proving the 
/3?7-subject reduction property : 

Lemma 1 (? 7 -reduction delaying). — For any terms Mq, Mi and M 2 such 
that Mq — and JM^^ — A/2, there exists a term A/( such that A/q — A/( 
and M'l — M 2 - 

2.3 Typing Rules 

The typing rules of the implicit calculus are parametrized by a set Axiom C 
for typing sorts, a set Rule C for typing both explicit and implicit products, 
and a cumulative ordering si < S 2 between sorts, which are summarized in 
Fig.El Typing rules of the implicit calculus involve two judgments: 

• T h, which means: “the context F is well- formed” ; 

• F \- M : T, which means: “under the context F, the term M has type T” . 

Validity of those judgments is defined by mutual induction using rules of Fig. 0 
The rules (Var), (Sort), (ExpProd), (ImpProd), (Lam), (App), (Conv) and 
(Cum) are the usual rules of ECC, except that we have an extra rule for the 
implicit product — which shares the same premises as the rule for the explicit 
product. Moreover, the convertibility rule (Conv) now identifies types up to 
/ 377 -convertibility. 

The rules (Gen) and (Inst) are the introduction and elimination rules for 
implicit product types. In contrast to the rules (Lam) and (App), the rules (Gen) 
and (Inst) have no associated constructors. Remark that the rule (Gen) involves 
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Axioms, product formation rules and cumulative ordering 



Axiom = {(Prop,Typei); (Set, Type^); (Type^, Type^+i); i > 0)} 

Rule = {(s, Prop, Prop); (s, Set, Set); (Type-, Type., TypeJ; s € S, i > 0} 

Prop < Prop; Set < Set; Prop < Type^; Set < Type^; Type^ < Type^. if i < j 

Rules for well-formed contexts 



— (WF-E) 



r\-T-.s xiDV{r) 
r- [x-.T]v- 



(WF-S) 



Rules for well-typed terms 



rh {x:T)€r r\- (si,si) e Axiom 

rirz — ; (Sort) 

I r X . 1 1 r S\ . S2 

r \- T s\ r\[x \T]\- U S 2 (si, S 2 , ss) ^ Rule 



r h JTa: : T . C7 : S3 

F h T : Si F; [a; : T] h ?7 : S2 (si, S2, S3) € Rule 
F h V* : F . F : S3 



(ExpProd) 

(ImpProd) 



F;[x:F]hM:F FhJ7x:T.F:s F h M : Hx-.T .U F h A : T 

r\- Xx.M : nx:T.U ^ F \- M N : U{x := N} ^ ’ 

r-[x :T]\- M :U F \- ^x :T .U : s x^FV{M) 



F'r M -.Mx-.T .U 

F\- M -.yx-.T.U F\- N :T 

F\- M : U{x:=N} 



(Gen) 



(Inst) 



F h M : T F h FG s F =g-n T' F \~ T ' s^ s^ <■ So 

^ CONV i i • Si gl S S2 . , 

F I- M : F' F h F : S2 ^ ’ 

F\- \x.{M x) :T xi FV{M) 



F h M : F 



(Ext) 



F;[x : F] h M : F x ^ FV (M) U FV (U) 
Fh M ; F 



(Str) 



Fig. 2. Typing rules of the Implicit Calculus of Constructions 
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a side-condition ensuring that the variable x whose type has to be generalized 
does not appear free in the term M. 

The purpose of the next rule, called (Ext) for ‘extensionality’, is to enforce 
the 77-subject reduction property in the implicit calculus. Such a rule cannot be 
derived from the other rules, for the same reasons that it cannot be derived in 
Curry-style system F, which is included in ICC. This rule is desirable here, since 
it gives smoother properties to the subtyping relation, such as the contravari- 
ant/covariant subtyping rules in productsjj 



The Meaning of the Non-dependent Implicit Product. The presence of 
the last rule — called (Str) for “strengthening” — may be surprising, since the 
corresponding rule is admissible in the (Extended) Calculus of Constructions, 
and more generally in all functional PTS In the implicit calculus, this is 
not the case, due to the presence of non-dependent implicit products. The main 
consequence of rule (Str) — an the reason for introducing it — is the following: 

Lemma 2 (Non-dependent implicit product). — Let F be a eontext, and 
let T and U be terms sueh that x ^ FV (U) and 'ix:T .U is a well-formed type 
in F . Then, for any term M we have the equivalence: 

Fh M -.Wx-.T.U ^ Fh M :U 

In other words, a non-dependent implicit product Wx :T .U has the very same 
inhabitants as the type U , obtained by removing the ‘dummy’ quantification 
Vx : T. Without the rule (Str), this result would hold only if the type T is not 
empty in the context F . 

3 Typing Properties 

3.1 Subject Reduction 

The /377-subject reduction of the implicit calculus is surprisingly hard to prove 
due to the presence of the rule (Ext) whose premise involves a term structurally 
larger than the term in the conclusion. For that, we have to use a trick based on 
lemma n in order to isolate the rule (Ext). 



Step 1: Preliminary Results. We first prove the following three lemmas by 
an immediate induction on the structure of derivations : 

Lemma 3 (Well- formed contexts). — Let F be a context. 

F If F is well-formed, then each prefix of F is also well-formed. 

2. If F \- M : T, then F is well-formed. 



® See lemma in in paragraph 
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Lemma 4 (Weakening). — Let F and F' he two eontexts such that F C F' . 
If F \- M : T and F' is well-formed, then F' \- M : T. 



Lemma 5 (Substitutivity). — If Fi \- Mq : Tq and A; [a^o : A)]; F 2 \~ M : T , 
then 



A; (A{a;o := Mo}) h M{xq := Mq} : T{x^ := Mq}. 



Step 2: The ? 7 -Subject Reduction Property. We now need to show that 
rule (Ext) can only be used at some places in a derivation. For that, we have to 
introduce the notion of stable form. A term M is said to be 

1. a sort form if M A . s for some context A and some sort s. 

2. a product form if M =fjri 'dA.IFx-.T.U for some context A and some 
terms T and U; 

3. a stable form if M is either a sort form or a product form. 

The terminology of ‘stable form’ comes from the fact that stable forms are pre- 
served at the right-hand side of judgments by subtyping rules such as (Inst), 
(Gen), (Ext), (Str), (Conv) or (Cum). 

Lemma 6 (Stable forms). — If F \- M : T, then 

F if M is a sort, an explicit or an implicit product, then T is a sort form; 

2. if M is a abstraction, then T is a product form 

Using this lemma, we prove the inversion lemma for explicit and implicit 
products, which is necessary to establish the ? 7 -subject reduction property. 

Lemma 7 (Inversion of products). — If F \- Bx :T .U : R (where B is one 
of n or\/), then there exists a context A and four sorts si, S2, S3, s such that 

F R =/3rj VZ\ . s; 

2. F;AFT: si; 

3 . F;A;[x:T]FU : S2; 

4. (si, S2, S3) G Rule; 

5 . S3 < s. 

Lemma 8 (Type of types). — If F \- M : T, there there exists a sort s such 
that F F T : s. 



Lemma 9 (Context conversion). — Let F and F' he contexts such that 
F =prj F' . If F F M : T and if F' is well-formed, then F' F M :T. 



Proposition 2 (? 7 -subject reduction). — If F F M : T and M — M' , then 
FF M' -.T. 
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Step 3: ry-direct Derivations. We now need to isolate rule (Ext). For that, we 
say that a derivation of F h M : T is rj-direct if one of the following conditions 
is satisfied : 

— the last rule is (Var) or (Sort); 

— the last rule is (ExpProd), (ImpProd) or (App), and the derivation of both 
premises are ry-direct; 

— the last rule is (Lam) and the derivation of the first premise is 77-direct; 

— the last rule is (Gen), (Inst), (Conv), (Cum) or (Str) and the derivation of 
the first premise is ry-direct. 

Intuitively, an ?y-direct derivation of a judgement F h M : T is a derivation in 
which the rule (Ext) can not appear in the parts of the derivation corresponding 
to the destructuration of the term M. 

In the following, we will write F \~d M : T when a judgment F \- M : T has 
an ry-direct derivation. This notion has good closure properties: lemmas ^^10] 
Q 0 and E| still hold even if we replace F \- M : T hy F \~d M : T everywhere. 
(However, the ry-subject reduction property does not hold when considering rj- 
direct derivations only.) 

Lemma 10 (?y-direct inversion of abstraction). — If F \~d . M : R, then 

there exists a context A and two terms T, U such that : 

F A . IIx \T .U ; 

2. F; Z\; [x:T]V-dM-. U. 



Lemma 11 (?y-direct /3-subject reduction). — If F \~d M : T and M 

M', then F b M' : T. 



Step 4: ,3-Subject Reduction. Before concluding, we need to show that any 
derivation of F h M : T can be transformed into an ry-direct derivation provided 
we make some ?y-expansions in the term M. 

Lemma 12 (ry-direct expansion). — If F \- M : T, then there exists a term 
Mq such that Mq — M and F \~d Mq : T. 

The /3-subject reduction property is then an immediate consequence of lem- 
mas El and El 

Proposition 3 (/3-subject reduction). — If F \- M : T and M M' , then 

FF M' :T. 



3.2 Subtyping 

One of the most interesting aspects of the Implicit Calculus of Constructions 
is the rich subtyping relation induced by the implicit product. This subtyping 
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relation, which is denoted hy F \- T ^T' , can be defined directly from the typing 
judgment as the following ‘macro’: 

r \- T ^T' = F;x:T\-x:T' {x a fresh variable) 

Using that definition, we can prove that in a given context, subtyping is a pre- 
ordering on well-formed types which satisfies the expected (Sub) rule: 

Lemma 13 (Subtyping preordering). — The following rules are admissible: 

FhT-.s FhTi^T2 F ^ M : T ThT^T' 

UhTs^T rh-Tis^Ts Fh M :T' ^ 

Moreover, product formation acts in a contravariant way for the domain part, 
and in a covariant way for the codomain part: 

Lemma 14 (Subtyping in products). — The following rules are admissible: 

r h T' T F;[x :T']h U ^U' U h T' T F;[x : T'] h U ^ U' 

F^ nx:T .U nx:T' .U' F ^ Wx :T .U ^Wx :T' .U' 

The subtyping rule for explicit products would not hold without the rule (Ext). 
This is the main motivation for introducing the rule (Ext), which has been 
proven equivalent to the subtyping rule for explicit products in m 

Besides the notion of subtyping, we can also define a notion of typing equiv- 
alence, denoted by F \- T ^ T' , which is simply the symmetric closure of the 
subtyping judgment F \- T ^ T' . We can prove the following equivalences: 

Lemma 15 (Product commutations). — The following rules are admissible: 

F^yxi:Ti.yx2-.T2.U : s T h Va;2 : Ta . Va:i : Ti . C7 : s' 

F h \/xi:Ti.\/x 2 -.T 2 .U - Vxa : Ta . Vxi : Ti . t/ 

F[-\fxi:Ti.yx2-.T2.U : s T h Vxa : Ta . Vxi : Ti . U : s' 

F h nxi:Ti.'dx 2 -.T 2 .U ~ Vxa : Ta . : Ti . C/ 

(Notice that the premises imply that there is no mutual dependency in the 
quantifications of conclusions, i.e. xi ^ PU(Ta) and X2 ^ FV{T{).) 



3.3 Consistency Resnlts 

In the implicit calculus, there are two propositions for representing the falsity: 
the explicit falsity FI A : Prop . A and the implicit falsity VA : Prop . A. However, 
both falsities are provably equivalent: 

A/ . / (VA : Prop . A) : {II A : Prop . A) — >■ (VA : Prop . A) 

Xp,A.p : (VA : Prop . A) (ilA : Prop . A) 
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The last proof is quite general, since we have 

Xp,x.p : {yx:T .U) ^ {nx:T .U), 

which means that an explicit product has at least as much inhabitants as the 
corresponding implicit product. 

The main consistency result of the Implicit Calculus of Constructions is a 
consequence of the following lemma : 

Lemma 16 (Stable forms). — In the empty context, the type of a term which 
has a weak head normal form is a stable form. 

Since the implicit falsity is not a stable form, we have : 

Proposition 4. — If the Implicit Calculus of Constructions is strongly normal- 
izing, then it is logically consistent. 



4 Semantics and Strong Normalization 

Building a model of the Implicit Calculus of Constructions is a fascinating chal- 
lenge, especially because its rich subtyping relation. The main difficulty is caused 
by the interpretation of the Curry-style A-abstraction which imply the traditional 
typing ambiguity, but also a stratification ambiguity. For instance, the identity 
Aa; . X has several types such as MA : Prop . A ^ A or VA : Type^ . A — >■ A (*>0) 
which are not defined at the same level of the universe hierarchy. 

In [13| , we have proposed a domain-theoretical model of the restricted implicit 
calculus — that is the implicit calculus without the rule (Str). This model is 
based on a untyped interpretation of terms in a large coherence space. The 
corresponding interpretation has nice properties: it allows to interpret all the 
terms — even the ill- typed ones — independently of their possible types. 

More recently, we have transformed this model into a strong normalization 
model, using the ideas of Q by incorporating reducibility information into the 
denotation of types. This normalization model now interprets the full calculus — 
including the strengthening rule — thus proving the following result 0 

Theorem 1 (Strong normalization). — Every well-typed term of the Im- 
plicit Calculus of Constructions is strongly normalizing. 



Corollary 1. — The Implicit Calculus of Constructions is logically consistent. 



The manuscript of the strong normalization proof is available on the author’s web 
page at http://pauillac.inria.fr/~miquel. 
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5 Impredicative Encodings 

In this section we shall illustrate the expressiveness of the Implicit Calculus of 
Constructions by comparing impredicative encodings of lists and dependent lists 
(vectors), and by studying their relationships with respect to subtyping. 

In the implicit calculus, lists are encoded as follows: 

list : Set ^ Set := AA . VX : Set . X ^ (A ^ X ^ X) ^ AT 

nil : VA: Set. list A := Xxf.x 

cons : VA : Set . A — >■ list A — >■ list A := Xalxf . f a {I x f) 

Notice that here, the polymorphic constructors nil and cons are exactly the usual 
constructors of (untyped) lists in the pure A-calculus. In fact, this result is not 
specific to the implicit calculus: this example could have been encoded the same 
way in the Curry-style equivalent of system Foj in the cube of TAS, since the 
implicit quantification was precisely used for impredicative products. 

In such a framework, it is not necessary to give an extra argument at each 
‘cons’ operation to build a list: 

cons true (cons false (cons true nil)) : list bool. 

Using the traditional encoding of lists in the Calculus of Constructions, the same 
list would have been written 

cons bool true (cons bool false (cons bool true (nil bool))) : list bool 

by explicitly instanciating the type of constructors at each construction step. 

In the implicit calculus anyway, the constructor of lists has the good covari- 
ance property with respect to the subtyping relation: 

Proposition 5 (Covariance of the type of lists). — For all context F and 
for all terms A and B of type Set in F we have: 

F \- A B F \- list A ^ list B. 

In fact, the situation becomes far more interesting if we consider the type 
of dependent lists — that we call vectors. The type of vectors is like the type of 
lists, except that it also depends on the size of the list. In the implicit calculus, 
the type of vectors can be encoded as follows 

vect : Set ^ nat — > Set 

:= XAn . VP : nat — ^ Set . P 0 — >■ (Vp : nat . A ^ P p ^ P {S p)) ^ P n, 

where nat, 0 and S are defined according to the usual encoding of Church integers 
in Curry-style system P. The interesting point is that we do not need to define 
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a new nil and a new cons for vectors. Indeed, it is straightforward to check that 
the nil and cons that we defined for building lists have also the following types: 

nil : MA : Set . vect A 0 

cons : MA : Set . Vn : nat . A — >■ vect A n ^ vect A (S n) 

In other words, lists and (fixed-length) vectors share the very same constructors, 
so we can take back the list of booleans above and assign to it the following more 
accurate type: 

cons true (cons false (cons true nil)) : vect bool (S (S (S 0))). 

In the Calculus of Constructions, such a sharing of constructors is not possible 
between lists and dependent lists, so we have to define a new pair of constructors 
niK and cons' to write the term 

cons' bool (S (S 0)) true 
(cons' bool (S 0) false 

(cons' bool 0 true (nil' bool))) : vect bool (S (S (S 0))). 

whose real computational contents is completely hidden by the type and size 
arguments given to the constructors nil' and cons'. 

In the implicit calculus, we can even derive that the type of vectors (of a 
given size) is a subtype of the type of lists: 

Proposition 6. — For all context F and for all terms A and n such that 
F A\ Set and F \- n \ nat, one can derive the subtyping judgment: 

F h vect A n ^ list A. 

To give another illustration of the expressive power of the Implicit Calculus of 
Constructions, let us study the case of Leibniz equality. In the implicit calculus, 
the natural impredicative encoding of equality is the following: 

eq : ilTl : Set . — >■ A — 5- Prop := XA,x,y .\/P : A ^ Prop . P x ^ P y. 

The reflexivity of equality is simply proven by the identity function 

\p -P : VA : Set ,'ix: A. er\ A x x 

whereas the proof of transitivity is given by the composition operator 

^fgp -9 if p) ■ : Set . Vx, y,z: A.eq A x y ^ eq A y z ^ eq A x z. 

A Remark about Implicit Positions. In the example above, the type param- 
eter A is an implicit argument of the reflexivity and transitivity proofs, but it is 
an explicit argument of the equality predicate, although it can be easily infered 
in that context. On the contrary, the implicit calculus allows the use of implicit 
elimination predicates (see for instance the encoding of vectors), although the 
inference of such predicates require complex techniques based on higher-order 
unification in practice. Those examples show that the arguments that can be 
automatically infered and the arguments that can be dropped out of the syntax 
without harm for the consistency are generally not the same. 
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6 Future Work 

Undecidability of Type- Checking. Decidability of type-checking in the im- 
plicit calculus is still an open problem. However, we strongly conjecture that 
type-checking is undecidable, at least because it contains the Curry-style system 
F. In fact, the inclusion of Curry-style system F into the implicit calculus seems 
to be only a minor point, since the implicit product allows to hide far more 
typing information than in the TAS. For that reason, the implicit calculus is 
not suitable for being used in a proof assistant system. Nevertheless, it could be 
fruitful to study ad hoc restrictions of the implicit calculus, in which decidability 
of type-checking is preserved. 



Extending this Approach to All PTS. The approach described here can be 
easily extended to all Pure Type Systems. Within the more general framework 
of Implicit Pure Type Systems, it is possible to have different formation rules 
for explicit and implicit products (by introducing two sets Rule^ , Rule^ C 
instead of the single set Rule of the Implicit Calculus of Constructions) . In that 
framework, most of the results exposed in Sect. Instill hold (including the (Ip- 
subject reduction property), since their proofs do not rely on the assumption 
that explicit and implicit products share the same formation rules. 
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Abstract. This paper presents a game model of Second-order Intu- 
itionistic Multiplicative Affine Logic (IMAL2). We extend Lamarche’s 
essential nets to the second-order affine setting and use them to show 
that the model is fully and faithfully complete. 
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1 Introduction 

This paper is about a second-order extension of AJM games m, which we call 
evolving games. A play begins with O making an opening move, and the two 
players alternate thereafter. An evolving game has two kinds of tokens: ground 
and second-order. Ground tokens are standard; they are playable at once (if 
reachable). Second-order tokens are (descriptions of) game evolutions, which 
cannot be played right away on their own. If a second-order token 9 is reachable 
at a given position, a player may import a game A as an argument for the 
evolution operator 0, thus causing the current game to grow locally, with the 
game 9{A) grafted at where the token 9 was. Transported now to the new and 
expanded game, the same player may play a ground token if one is reachable and 
so complete the second-order move; or he may continue the evolution process 
(if a second-order token is reachable) by importing another game, and so on. 
However after finitely many such evolution steps, the player is required to play 
a ground token, thus finally completing the second-order move. A version of this 
approach first appeared in a LICS’97 paper by Hughes. He shows how a fully 
complete model for System F can be constructed. A more abstract presentation 
has been considered in M- 

Our goal is to construct a simple evolving game model for Second-order In- 
tuitionistic Multiplicative Affine Logic (IMAL2) (see Figure E for the rules of 
the IMAL2 Sequent Calculus; note that we do not consider unit) in the style of 
In Section 0 we introduce evolving games and define the playable moves and 

* On leave from Nicholas Copernicus University, Toruh, Poland. 

** http : //www. comlab . ox . ac.uk/oucl/work/luke . ong.html 
Tel: 

S. Abramsky (Ed.): TLCA 2001, LNCS 2044, pp. 360-ESI 2001. 

(c) Springer- Verlag Berlin Heidelberg 2001 
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(atom) 


aha 


(var) 


X h X 


(exch) 


r,A,B,A'^ C 


(wk) 


F h B 


r,B,A,Ah C 


r,A h B 


(0-1) 


A,B,r h C 


(0-r) 


r h A A h B 


A®B,r h c 


r, A h A 0 B 


(— 1) 


T h A R,Z\ h C 


(— r) 


r,A h B 


A ^ B, T, Z\ h C 


r h A^B 


(V-1) 


r,A[B/X] h c 


(V-r) 


r h A 


r,vx.A h c 


r h VA.A 



where the side condition of (V-r) is: X does not occur free in F. 



Fig. 1. The rules dehning valid IMAL2 sequents 



positions of an evolving game. As our aim is to construct a fully complete model 
for IMAL2, our treatment here is restricted to a version of free such games, 
which are in one-one correspondence with closed IMAL2 types. IMAL2 proofs 
are modelled by strategies which we present in two stages. We consider first the 
simple scenario in which the games imported by O (as arguments for his second- 
order tokens) are guaranteed to be singleton games consisting of a ground token. 
P-strategies for playing such evolving games are called symbolic. Strategies that 
denote proofs are total, (ground) token-reflecting and finitely presentable; in 
addition, the evolution arguments P imports are determined schematically by 
those which O has imported thus far in the play. We call symbolic strategies 
that possess these properties regular, and they are introduced in Section 01 Reg- 
ular strategies cannot be composed; however strategies that are generated from 
regular strategies by a process of copycat expansion do compose, as we show in 
Section II (It is worth noting that our proof of compositionality is direct and 
syntax-independent, or rather, independent of the formal system IMAL2.) We 
call such strategies good, and they give rise to a model of IMAL2. 

In Sectional we turn our attention to essential nets El, which are a kind of 
oriented proof nets, for IMAL2. We give a correctness criterion for such nets, 
and prove that all correct nets are sequentializable. The main result of the paper 
is Theorem 12 

Evolving games and good strategies are fully and faithfully complete for 

IMAL2 

which is proved in Section^ The key step is a correspondence result (Lemma 0] 
and Proposition P) which shows that each regular strategy determines a correct 
essential net for the associated end-sequent. Faithful completeness is proved with 
respect to a notion of equivalence of such nets. 
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The only game model for IMAL2 in the literature is given in p. Recently 
Abramsky and Lenisa |5] have constructed a linear combinatory algebra of par- 
tial involutions on the natural numbers, arising from Geometry of Interaction 
constructions; they show that a fully and faithfully complete model for ML 
polymorphic types of system F can be obtained in this way. To the best of our 
knowledge, our game model is the first fully (and faithfully) complete model for 
IMAL2; indeed all results in this paper are new. 

2 Evolving Games 

We assume the notions of games (and singleton games) as defined in 1 11121 : we 
shall call them IMAL games. Recall that new games can be constructed from 
old using standard game constructions. We write s f A to mean the subsequence 
of s consisting only of moves from A, and define P = O and O = P. For a game 
G, we write M® to mean the set of finite alternating sequences of moves from 
Mg- The first two, tensor games A®B and linear function space games A B, 
are standard. For @ = ® and — we have 

Ma@b = Ma + Mb 

Pa®b = { s G ^a@b I 'S r ^ S Pa, s \ B g Pb } 

where Xa®b is defined to be the canonical map [A^, As] : Ma + Mb — t { P, O }, 
and Xa^b = [Aa, Ab]. Note that it is a consequence of the definition that every 
s G Pa 0B satisfies the 0 -Switching Condition: for each pair of consecutive moves 
mm' in s, if m and m' are from different components (i.e. one is from A the other 
from R), then m' is an 0-move. Similarly it follows that every s G Pa^b satisfies 
the P- Switching Condition i.e. only P can switch component. 



Tokens: ground and second-order. Fix an infinite set Tg of ground tokens 
which are ranged over by a, b, c, etc. The set Q of free games is generated from 
the ground tokens by the constructors of IMAL2 as follows: 

— every ground token a G Tg, considered as a singleton game, is in Q 

— if Gi and G2 are in Q then Gi 0 G2 and Gi ^ G2 are in Q 

— if G G G then for each e gTq, the singleton game [Ve.G] is in Q. 

(By abuse of notation, we confuse a singleton game with its sole token.) Tokens 
of the form [Ve.G] are called second-order tokens. Thus G contains games 
generated from both ground and second-order tokens using the constructors 0 
and 

Remark 1 . As we shall see shortly, a second-order token [Va.G] is a description of 
the game operation: A >->• G[A/aj. As usual “a-equivalent” second-order tokens 
are considered identical. Clearly free games are in one-one correspondence with 
closed IMAL2 types. 
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Given any IMAL2 formula F and a map p from its free variables to Q, there 
is an obvious denotation |-F]p in Q. E.g. take F = X 0 Vy.(F 0 (AT ^ yZ.Z)) 
and p : X [V&.(e ^ b)] G e; we have 

iFlp = ([V6.(e ^ b)] G e) G [VF.(r 0 (([V6.(e ^ 6)] G e) ^ [^Z.Z]))]. 

Playable moves of an evolving game. When considered as an IMAL game, 
a move of a free game G is either a ground or a second-order token, which can be 
named by its occurrence in the syntax tree of G. For this purpose the branches 
of G are labelled I and r, and those of ^ are labelled L and R. For instance, 
the tokens of the game a® {b ^ [Vc.c]) (from left to right) are I, rL and rR. 

In the setting of evolving games, starting from G (say), the interim game 
(which we can think of as the “current game board”) grows as the play unfolds, 
so that over the life time of a play, many more moves than are specified in the 
initial game G become available. We call these generalized moves playable moves 
of the evolving game G and define it by recursion as follows. 

Definition 1. A string s G ({?, r, L, R, }Ut/)* is a playable move of an evolving 
game G if: 

— either s G {l,r, L, R}* names a ground token in G, called the playable token 
of s - then we say that G does not evolve (as a consequence of playing s) 

— or there exist A G G (called evolution argument), si G {l,r, L, R}* , S 2 G 
({^, r, L, i?} Ut/)* such that s = SiAs 2 , Si names a second-order token [Ve.T] 
in G, and S 2 is a playable move of the game T\Aje\. The playable token of s 
is defined to be the same as that of S 2 (although playability is defined with 
respect to a different game). If S 2 causes T[A/e] to evolve into G', then we 
say that s causes G to evolve into G[G'/[Ve.T]]. 

Note that in the second case above it may take several evolution arguments 
to make a playable move. We shall write the evolution arguments as superscripts 
(e.g. s^--- above). From the moment such an A is played we say that the slot 
Si is defined. It may turn out that S 2 begins with a contiguous segment of 
evolution arguments in which case all of them form part of the definition of slot 
si. If S 2 = Ai • • • A„S 3 for Ai G G and S 3 begins with one of l,r,L or R, we 
write [si] = AAi ■ ■ ■ A„. If s is a playable move for G, we call s f {I, r, L, R} the 
location of s, and we write it as [sj . 

Example 1. (i) (a® [Vd.cf|)r(6(8) [Vc.c])l is a playable move for the singleton game 
[V&.6], which consequently evolves into a® {b® [Vc.c]). The playable token is b 
and the slots defined by that move are [e] = a® [Vd.d] and [r] = b® [Vc.c]. 

(ii) The playable move [Ve.e] • • • [Ve.e] a causes the singleton game [V6.5] to evolve 

■•V ^ 

k 

into a. There are k intermediate steps - all equal to [V6.6], and a is the playable 
token. The move defines [e] to be [Ve.e] • • • [Ve.e] a. 



k 
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Observe that in general [ — ] : {l,r, L, R}* C/+, where X~^ means the set 

of non-empty words over the alphabet-set X. (A playable move m can be seen 
as defining a set |"s™l > ‘ ‘ ‘ j of slot definitions for s™ £ {I, r, L, R}*.) 

Plays of an evolving game. We define positions of the evolving game G as 
follows. 

Definition 2 (Positions). The empty sequence is a position. If the finite se- 
quence of playable moves, s, is a position and G' is the evolved game at that 
point, then sm is a position provided 

(i) m is a playable move of G', and 

(ii) the sequence consisting of the respective locations of the elements in sm is 
a position of G” (here in the standard sense of IMAL games CH), where G” 
is the game that has evolved from G' after m is played. 

Example 2 . We examine two maximal positions for the game 

[vx.((x ^ X) ® [vr.(y ^ F)])] ^ [vx.((x ^ x) ® [vf.(f ^ f)])] 

(i) We display the position as follows: 

(R^IR) {LGR) {LIE) {RIL) {Rr^R) {Lr<=R) {LrL) (RrL) 
evolution Gi G2 G2 G2 G3 G4 G4 G4 

where: 

Gi [VX.((X ^ X) ® [VF.(F ^ F)])] ^ ((e ^ e) ® [VF.(F ^ F)]) 

G2 (e ^ e) 0 [VF.(F ^ F)] ^ (e ^ e) 0 [VF.(F ^ F)] 

G3 (e — o e) 0 [VF.(F — o F)] ^ (e ^ e) 0 (c — ° c) 

G4 (e ^ e) 0 (c ^ c) ^ (e ^ e) 0 (c ^ c) 

After the first move we have |"i?] = e, after the second \L\ = e. The fifth move 
defines \Rr~\ to be c and the next makes \Lr~\ equal c. 

(ii) After the first move we have \R] = e and [i?r] = c. The second move sets 
\L~\ = e and \Lr~\ = c. The position is displayed below: 

{R^r^R) {L<=r^R) (LrL) (RrL) (RIR) {UR) {LIE) (RIE) 
evolution Efi H2 i?2 H2 H2 H2 H2 i?2 



where: 



Hi [VW((A: ^ F) 0 [VF.(F ^ F)])] ^ (e ^ e) 0 (c ^ c) 
H2 (e ^ e) 0 (c — o c) — o (e ^ e) 0 (c — o c) 
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Call a string s G {I, r, L, R}* an O-location if s contains an even number of 
Us. Otherwise it is a P-location. The sets containing them are called Lq and 
Lp respectively. Intuitively an O-location is the occurrence of an 0-move in a 
game. Thus if |"s] is defined in a position and s is an O-location (respectively 
P-location), then it was first defined by O (respectively P). In other words, a 
player cannot define his opponent’s slots. 

3 Symbolic Strategies 

In order to prove a definability result, it is convenient to consider first the simple 
scenario in which the evolution arguments provided by O are guaranteed to be 
(sequences of) ground tokens (regarded as singleton games) - we say that O plays 
symbolically in this case. This assumption makes it easy to see that denotable 
P-strategies have a finite description. 

Formally we say that O plays symbolically in a position if for each s G Lq 
defined therein we have |"s] G Tg^ . For the rest of the section we assume that O 
plays symbolically. We say that a P-strategy a is symbolic just in case for every 
even-length s G u, if sm is a position then sm G ct if and only if the 0-move m 
is symbolic. 

The purpose of the next definition is to introduce strategies that are para- 
metric in the sense that the evolution arguments given by P are determined by 
those given by O in a schematic fashion. First we set Q{Lo) to be the collection 
of formal objects defined by the following rules: 

— every ground token a G Tg and every O-location are in Q{Lo) 

— if Gi and G 2 are in G{Lq) then Gi O G 2 and Gi ^ G 2 are in G{Lo) 

— if G G Q{Lq) then for each e GTg, [Ve.G] is in Q{Lo). 

For example we have c—°Rr® \ia.{LLr ^ aO 6)] G G{Lo). (Informally G{Lo) 
is the collection of free games in which some ground tokens are replaced by 
O- locations.) 

Definition 3. The pair / : Lq Lp and F : Lp ^ {G{Lo))~^ define a symbolic 
strategy a if for all even-length smomp G a {mo necessarily symbolic): 

— [mp\ = f{[mo\) _ 

— for all u,v G ({/, r, L, R} U G)* and A G G^ such that mp = u^v where [mJ 
is a P-location and v begins with one of l,r, L or R, we have A is determined 
by F’(LwJ) as follows: Suppose the 0-locations that appear in F’([mJ) are 
wip ■ ■ ,Wk, then A is obtained from F([uJ) by replacing each Wi by [rcij, 
each [wi] must already be defined in smo- 

We write a = if /, F are the least such functions. □ 

By definition, it is easy to see: 

1. / and F are related: each P-location in dom{F) is a prefix of some element 
in cod{f). 
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2. By leastness of / and F, elements of dom{f) U cod{f) are incomparable. 

Note that a symbolic strategy is location-wise history-free, in the sense that the 
location of P’s response at any position depends only on the preceding 0-move. 

To model proofs, / and F should be finite (it is enough to require that of /). 
The finiteness is needed to eliminate infinite strategies like the one for the game 
[VX.X] ^ [VY.F] in which P replies by importing -« [VY.y]) ^ a 

where a is the token of the last 0-move, and then playing the ground token a. 
This puts O in the same position as at the beginning of the game, and the play 
could continue indefinitely, if / and F were allowed to be infinite. 

Definition 4. A regular strategy is a total, ground-token-refiectin^ symbolic 
strategy ct/,f given by some finite / and F, where / is an injection. 

It follows that if smonip G cr, mp = u^v for a P-location [wj, v beginning 
with one of l,r,L and R, and 

F{lu\) = Gi{wip ■ ■ ,Wk) ■ ■ - - ■ ■ ,Wk) G (C/(Lo)) + 

(where each Gi{wi, • • • , Wk) is in Q{Lo) such that the 0-locations that appear in 
it are among u>i, • • • , Wk) then in the P-view jSj of smo there must be 0-moves 
which define [wi] for each i (i.e. the evolution argument which O has supplied 
at each Wi). 

Example 3. The strategy considered in Example given by: 

/ = {{RIR, LIR), {LIE, RIL), {RrR, LrR), {LrL, RrL)} 

F = {(L,i?),(Lr,i?r)} 

is regular. Note that this is the identity strategy. 

Remark 2. In general, it is too weak to require the dependence of evolution 
arguments on P- views. Consider the following sequent: 

h yx.x o {wx.x ^ 6 o vr.r) ^ & o vr.r. 

P’s response at the two positions 

{Rl){LrRl){LrL^) and (i?r“)(Lri?r“)(LrL“) 

should be the same, say, (LZ“®“r), but if the way P imports evolution arguments 
is to depend on P-views, we are free to play in the first instance and 

Ll'^V-V]®°'r in the second. For regular strategies, this is not possible. Since \LV\ 
must be defined in terms of the evolution arguments O has imported (at certain 
O- locations) defined in the history of the play, it must depend solely on \LrLP\. 
This forces P to import the same evolution argument in both instances. 

It is easy to see that regular strategies are finite, in the sense that it is a 
finite set of positions, and so, every play terminates. In the following we shall 
see how they can be used to generate possibly infinite plays. 

^ I.e. for every even-length sm~m G a, if the O-move m~ is a ground token a, then 
the token of m is also a (see M)- 
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4 Good Strategies for Composition 

Unfortunately regular strategies cannot be composed. This section is concerned 
with a notion of strategies that are good for composition. Good strategies are 
generated from regular ones by a process of copycat expansion, which is essen- 
tially a semantic form of 77-expansion [1811 ()j . We shall see that good strategies 
compose by the standard mechanism of “parallel composition with hiding” P). 

Definition 5 (Good strategies). Take a regular strategy a = The good 
strategy generated from a, written a, is defined by the following algorithm: 
Suppose the odd-length position sm € a such that [mj = t. Find u < t such 
that u G cod{f) U dom{f). (Note that a unique such u exists by induction on 
the length of positions.) This decomposes the 0-move m into muniy such that 
t = uv, rriu ends in one of I, r, L and R, and = u. There are two cases: 

(i) If 7i e dom{f), play f{u)my 

(ii) If 7i e cod{f), play f~'^{u)my 

In case (i) if u is encountered in the play for the first time, f{u) is obtained 
from f{u) by inserting appropriate evolution arguments using F, based on the 
evolution arguments which O has already given in sm] otherwise f(u) = f(u) 



Remark 3. In a play, the evolution argument for each slot (whether O or P) is 
given explicitly only once. Thus in case (i), f{u) = /(it) if the u in question 
has already been met in the history of play. In case (ii), all slots should have 
already been defined, since the corresponding instance of case (i) must have been 
encountered first. This explains the apparent asymmetry in the two cases. 



Lemma 1 (Zigzag). In any position of a good strategy generated by f and F , 
for any u € dom{f), f is applied in case (i) first if at all; thereafter each time 
before (i) is applied again for the same u, an instance of case (ii) must have 
already occurred for that u. 

Proof. Otherwise, in the subgame rooted at t, we would have two consecutive 
0-moves. □ 

It is straightforward to see that good strategies are (location-wise) history- 
free and total. Good strategies can be infinite, as the following example illus- 
trates. 

Example 4- Take the good strategy extending the symbolic identity 
{e, i?“, for the game [VX.X] ^ [VF.F]. Suppose O plays P 

plays copycat and so responds by From this point onwards, both 

players behave analogously, thus engaging in an infinite exchange. 

Now composition (of good strategies) can be defined by the conventional 
definition. In fact 
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Theorem 1. Good strategies compose. □ 

We prove the Theorem directly, without recourse to the formal system 
IMAL2, as a simple consequence of the following lemma. 

Lemma 2. (i) The composite strategy of two good strategies is total i.e. there 
is no infinite chattering when the two strategies interact. 

(ii) The composite of two good strategies is generated from a regular strategy 

for some finite f (and so F is also finite). □ 

Remark 4 . The composition algorithm that works is the standard one |2j but 
appropriate adjustments should be made to respect the convention that the 
locations of B-moves in A ^ B begin with R, whereas those in B ^ C begin 
with L. Therefore if a (for A ^ B) tells P to play (the move whose location 
is) Ru in B, he should ask r (for B ^ C) what to do with (the move whose 
location is) Lu (rather than Ru). 

We devote the next sections to the introduction of essential nets for IMAL2 
with the aim of proving the main result of the paper: 

Theorem 2 (Full Completeness). Evolving games and good strategies are 
fully and faithfully complete for IMAL2. □ 



5 Essential Nets for IMAL2 and IMLL2 

We extend Lamarche’s essential nets |1 1I14| for (quantifier-free) IMLL to the 
second-order affine fragment. Our correctness criterion is motivated by the evolv- 
ing game model and corresponds to the rule that the game imported by P is 
determined “uniformly” by those imported by O earlier. To our knowledge, the 
results in this section are also new. Proof nets for first-order MLL which extend 
the DR-criterion p| for MLL have already been proposed in [Bj , from which it is 
an easy step to derive a correctness criterion for MLL2 (i.e. second-order classical 
MLL). Although IMLL2 is a sublogic of MLL2, essential nets are quite a differ- 
ent kind of structure from proof nets; knowing the corresponding DR-criterion 
is not much of a help in finding a correctness criterion for essential nets. 

Essential nets are a graphical representation of derivations of IMAL2 sequents 
expressed in polarized form 1 - Ni, ... , Ni^, P, where the N^s are negative for- 
mulas and P is a positive formula; note that the polarized sequents are one-sided. 
In the following we shall assume the correspondence between the two-sided se- 
quents h and one-sided polarized sequents 1 -, and use them interchangeably. 

Definition 6. An essential net for an IMAL2 sequent 1 - Nf ^ • • • , Nff , P+ in 
polarized form is a directed graph which is constructed from the following com- 
ponents: 

— axiom link, which is an oriented edge from a positive copy to a negative copy 
of a propositional atom or second-order variable: 
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I 1 i 1 

a- a+ X- X+ 

— polarized G)-nodes and 'S-nodes: 

A- B+ A- B- A+ B+ A+ B- 




A^ 'S>+ B+ A^ 'S’ B^ A+ »+ B+ A+ B^ 

In each of the four components above, the two nodes situated above are 
called premises of the node below (similarly for the V+-node and V~-node 
in the following). We call the left premise of a ’S’~'’-node its sink; note that 
there is no edge linking a ’S’~''-node to its sink. 

— V+-nodes: 



yl+ 

! 

V+X^+ 

where X is called the eigenvariable of the node M'^X.A^ . 
— V“-nodes: 



A~ [T/X] 

\T 

^-X.A~ 

Note the labelled edge. If X occurs in A, the label T can be retrieved from 
the net. We call T the eigentype of the V“-node. 

— and weakening nodes (note the bar over the formula) 

~A^ 

such that the conclusions of the net (nodes that are not premises of any node) 
are exactly , • • • , ,P~^, polarized as indicated. The positive conclusion is 

called the root of the net. 

Important Convention. In addition we require that: 

1. the eigenvariables be distinct 

2. every variable that occurs in the net be the eigenvariable of some V^-node, 
otherwise we replace all its occurrences throughout the net by a fresh propo- 
sitional atom 

3. conclusions are closed formulas. 

An essential net for an IMLL2 sequent is defined in exactly the same way 
by construction from the above components but less the weakening nodes. Note 
that an IMLL2 net is also an IMAL2 net. □ 
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It is an easy exercise to check that each IMAL2 derivation (expressed in 
terms of polarized sequents) determines an essential net for the end-sequent. Of 
course there are essential nets that do not arise in this way, as the next example 
shows. 

Example 5. We give the “obvious” essential net for the (invalid) sequent h 
\/Z.{a (§1 Z) ^ {a (Si \/X.X) in Figure El The reader might wish to construct an 
essential net for the (invalid) sequent h \/XV.{X 0 F) ^ (VT.T ®'iZ.Z'). 




Fig. 2. An essential net for 1 - V Z.(a Z ) (a"*" (g)"*" V'"A.A"'"). 



[A note on figures: Owing to typographical constraints, we have been eco- 
nomical with the node-labels in our drawing of essential nets, often displaying 
only the outermost connective rather than the whole formula.] 

The main challenge in finding a correctness criterion (a characterization of 
essential nets that arise from derivations) is to capture the side condition of the 
rule (V-r). It turns out that the notion of essential nets alone (and in particular 
the Convention) already rules out several invalid sequents. 

Example 6. (i) There is no essential net for i- X~ ,\/'^X.X'^ because of the con- 
vention that conclusions must be closed formulas - note that X~ may not be 
replaced by a fresh atom because it is an eigenvariable. 

(ii) There is no essential net for 

i-v-y.(y- 'S’- y-),v+A.A+ o+ v+z.z+ 

because A+ and Z^ are different and it is impossible to axiom-link each of them 
with Y~ . 

Correctness Criterion for IMAL2 and IMLL2 Essential Nets 

It is straightforward to see that if an IMAL2 essential net is acyclic then every 
node X is reachable from either the root or from a weakening node (or from 
both). In the case of IMLL2 nets, acyclicity implies that every node is reachable 
from the root. 
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Definition 7. An IMLL2 essential net is said to be correct just in case: 

(1) the digraph is acyclic 

(2) for any 'S’~*'-node p, every path from the root to p’s sink passes through p 

(3) for any V“-node q whose eigentype is T (say), for any free variable X that 

occurs in T, every path from the root to q passes through the V'''-node whose 
eigenvariable is A. □ 

Example 7. (i) In the essential net in Figure El note that the V“-node does 
not satisfy condition (3): there is a path from the root to the V“-node without 
passing through the V“'"-node. 

(ii) The sequent \-'iY.Y ®'iZ.Z —o'iX.{X ® X) has (infinitely) many correct 
essential nets. 



Definition 8. An explicit IMAL2 net N' is a directed graph that is obtained 
from an IMAL2 net N by joining each weakening node to some positive node 
by a directed edge (pointing from the positive node to the negative weakening 
node); we say that N extends to N' . Clearly N' has the same node-set as IV; 
by abuse of terminology, we say that a node in N' is a 'S’ "'"-node (similarly for 
V+-node, C)“-node etc.) just in case it is in N. 

An IMAL2 essential net N is said to be correct if it is possible to extend 
N to an explicit IMAL2 net N' which satisfies conditions (1), (2) and (3) of 
Definition 0 □ 

Now for some examples of essential nets that have weakening nodes: 
Example 8. (i) Consider the essential net given by the following derivation 



1- Y~ >S>+ Y+ 

I-Y-, Y- >S’+ Y+ 

I-V-A.A-, Y- ’S’+ y+ 

1- V-A.A-, v+r.r- ’S’+ Y+ 

which has two connected components. The net can be strengthened to a net that 
satisfies the IMLL2 correctness criterion by connecting T+ to the weakening node 
F". 

(ii) The sequent {a ^ b) {b a) —o c, d h d has no correct essential net in 
which c is a weakening node. 

(iii) The sequent a a,b h b has no correct essential net which contains no 
weakening node. Of course it has a correct essential net in which a a is a 
single weakening node; in which case the net is suitably strengthened by linking 
b~^ with a —o a. 



Theorem 3 (Sequentialization). IMAL2 (and hence also IMLL2) essential 
nets £ satisfying the correctness criterion are sequentializable i.e. there is a 
derivation of the end-sequent that gives rise to £. □ 
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Canonical Essential Nets 



Although essential nets respect the commuting conversions of IMLL, the addition 
of weakening brings out new ones which are not handled so well. For example 
the proofs below should be deemed equivalent, but their essential nets differ: 



z \- z 



Z, Z —o 



X \- X 

y,x \- X 
y,x \- X 



X \- X 

z —o y,x h X 
z, z —o y,x h X 



Another problem is the commutation of weakening with the 'S’ -rule. The two 
proofs 

X X 

y,x X 

y,z,x \- X X \- X 

y®z,x\- X y®z,x\- X 

are equivalent, but the corresponding nets are different. This motivates the fol- 
lowing notion of equivalence: 

Definition 9. Two essential nets for the same end-sequent are said to be equiv- 
alent if they are identical when restricted to the parts that are reachable from 
the root (the unique positive conclusion). 

Good strategies respect this notion of equivalence. For the purpose of prov- 
ing a strong definability result, it is convenient to reason in terms of appropriate 
representatives of equivalence classes of essential nets. We call these represen- 
tatives canonical essential nets, and they satisfy an additional condition: If a 
node is not reachable from the root, it is a weakening node. (We know that the 
converse holds, because weakening nodes have no premises and are of negative 
polarity, so no edge can lead to them.) 

The new condition has a number of consequences: 

1. a weakening node cannot be the negative premise of a ®“-node, because it 
would render that ®“-node unreachable 

2. at most one premise of a 'S’~-node may be a weakening node, for otherwise 
the *F~-node would be unreachable 

3. the premise of a V“-node cannot be introduced by weakening 

4. all axiom links are reachable. 



Canonical essential nets arise “naturally” from sequent calculus derivations in 
which the use of weakening is delayed for “as long as possible” . A derivation may 
be normalized to a canonical form by first deleting each unreachable connected 
component and then adding the component back as a single weakening node. 
A nice consequence is that all V“-nodes are reachable (from the root), which 
promises an exact correspondence with strategies. Another is a simplified version 
of the correctness criterion: 



Lemma 3. A canonical IMAL2 net is correct if and only if it satisfies all con- 
ditions of Definition^ □ 
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6 Proof of Full and Faithful Completeness 

Our final task is to prove a strong definability theorem: 

Theorem 4 (Strong Definability). Correct canonical IMAL2 essential nets 
and shortsighted regular strategies are in 1-1 correspondence. □ 

A strategy a is said to be shortsighted just in case for every even-length s G a, 
if sm is a position then sm G a ii and only if the 0-move m is enabled by the 
last move of s. (See m for a definition of the enabling ordering.) 

Lemma 4. Fix an IMAL2 sequent i-F. (There is no harm in assuming that 
r is a formula.) Every shortsighted regular strategy a — <Jf^F for the associated 
game determines a canonical essential net for i- F. Further: 

(i) f and F respectively define the axiom links and the eigentypes of So-. 

(ii) There is a one-one correspondence between positions in a and paths (starting 
from the root) in £„ which end in a leaf. □ 

The Lemma can be proved by first establishing a lemma similar to 
Lemma 19], which we omit. Instead we set out in detail the correspondence 
in (i) of the Lemma: 

— For each (m, v) G f, u is the occurrence (in fo-) of the positive end of a unique 
axiom link, and v the occurrence of the negative end. 

— Each t in the domain of F is the occurrence of a unique V“-node. Sup- 
pose its eigentype has free variables Yi, • • • , (say), then F{t) is expressed 
in terms of 0-locations which are the occurrences of the V^-nodes whose 
eigenvariables are the Y^s. 

and illustrate it by the following example. 

Example 9. Consider the IMAL2 sequent h \!Z.Z ^\IX.i)slYY ^ X) and a 
regular strategy generated by 

/ = {{RR, LR), {LLR, RLR), {RLE, LLLl)} 

F = {(L, ([V6.6] Z) R^ R) ^ R), {RE, R -o A), {EEEl, R)} 

The strategy has the following maximal position 

(i?“i?) (EER) (AL“^“A) (REE) {EEEt) 

The reader may wish to check that / and F respectively specify the axiom links 
and the eigentypes of the essential net which is determined by as shown in 
Figure 0 

Following on from Lemma 0 we can show that: 



Proposition 1. is correct. 
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where Ti = {{V-V.V~ >S>" X~) 'S>+ X+) X~ , T2 = X+ A", T3 = 



Fig. 3. A correct canonical essential net for I- V Z.Z (V'"A.(V Y.Y A'"'")). 



Proof. We take advantage of Lemma El and prove that satisfies condition (3) 
of Definition Q for illustration; the other two conditions can be shown to hold 
by arguments similar to those in the proof of |Q1 Theorem 22]. Suppose there 
is a node 'i~ Z.A - call it p - whose eigentype has a free variable Y (say). Since 
£a is canonical, p is reachable from the root. For a contradiction, suppose there 
is a path from the root to p, whose occurrence (a P-location) in £^r is t (say), 
without passing through a V+lfG-node, whose occurrence (an 0-location) is t' 
(say). By Lemma0(ii), there is a position (pick the shortest) in cr, smonip say, 
that ends in a move wp of the form u^v where the location of u is t; further 
no move from the position has a location that has t' as a prefix. By definition 
of symbolic strategy and by Lemma ^i), we have F(t) is expressed in terms of 
[t'] (among possibly other 0-locations), which should already be defined in the 
position. But this contradicts our assumption. □ 

This proves Theorem 0 and hence Theorem 0 



Further directions. For us, this work is a necessary step towards the construc- 
tion of a fully complete model for Second-order Intuitionistic Multiplicative Light 
Affine Logic (IMLAL2) ( |7l4j 1 . and so, a game characterization of the PTIME 
functions. We believe that an appropriate synthesis of this work with our recent 
discreet strategies model for (quantifier- free) IMLAL (see ^Hl) should produce 
the result. It would also be interesting to investigate full completeness for IMLL2, 
and for IMAL2 with unit. 
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Abstract. In this paper we prove the decidability of the existence of a 
definable retraction between two given simple types. Instead of defining 
some extension of a former type system from which these retractions 
could be inferred, we obtain this result as a corollary of the decidability 
of the minimal model of simply typed A-calculus. 



Although definably isomorphic simple types are fully characterized in fRL^ 
as a sequel to a classical result by Dezani for untyped A/3r;-calculus Pez76j. 
the more general problem of definable retractions has been left open: given two 
simple types A and B, this problem is to decide whether there exists u : A ^ B 
and V : B ^ A such that (v o u) =/ 3 ^ I. 

In [HI j85j . Bruce and Longo exhibit a type system from which one can infer 
all retractions that are definable without the ry-rule. In the same paper, they 
prove the soundess and the incompleteness, with respect to the general case, of 
a proper extension of this system. In [IZS22I, de’Liguoro, Piperno and Statman 
show how to extend the latter system to derive all retractions that are definable 
by linear A-terms. 

This paper attacks the retraction problem from a much more syntactical 
angle. Instead of trying to give a complete extension of a former system, we 
use the decision algorithm for the minimal model of simply-typed A-calculus 
(see to build an new algorithm that decides whether a simple type is a 

retract of another. 

For the sake of simplicity, we will focus on the special case where the calculus 
contains a single ground type. However, this restriction is not crucial: as shown in 
Einna, a minimal model built with more than one ground type is still decidable, 
and the result can be easily extended to the general case. Also, we will add to the 
calculus a constant of ground type - again, this addition is harmless, and is only 
intended to simplify the proof. Both restrictions are discussed in the conclusion. 

The paper is divided in two main parts. In section Tl ,'Zl we introduce two sets 
of terms C and T>, the sets of coders and decoders. In section [HBl we show that 
the definability of a retraction by some pair in C x 2?, is a decidable property. 
In section |21 we prove that if a retraction is definable, then it is definable by a 
pair inC xT>. For that purpose we define in sections rz. 1 1 a,nd fZ.'Zl a,n algorithm 
which transforms any retraction pair into a pair in C x T>. The faithfulness of 
the conversion is proved at section 

S. Abramsky (Ed.): TLCA 2001, LNCS 2044, pp. .47fi- TTOI 2001. 
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1 Coders and Decoders 

We consider the simply-typed A-calculus with a single ground type o, a single 
constant _L of ground type, with a typing a la Church. In the sequel, by terms 
and types, we understand simply-typed terms and simple types. 

The notation M : A indicates that M is a term of type A. Types will be 
frequently ommited whenever they are irrelevant, or implicit from the context. 
We will often make use of the following notations: 

— A\. . .An ^ o denotes the type {A\ — >• {A 2 —>■... (A„ — >■ o) . . .)). 

— Xxi . . . Xn.{MNi . . . Nm) denotes \xi . . . Xxn{- . ■ (MNi) . . . N^). When 
there is no amibugity, this term will be also denoted by Xx.{MN). 

— Xd.M denotes a term of the form Xx\ . . . x„.M with no Xi free in M . 



1.1 Retracts and Products 

We say that the product of A ^, . . . , A" is a retract of B if and only if the following 
property holds: 

There exists a term M : B, distinct variables . . . , /" : A” free 

in M, and closed terms : B ^ A^, ... , IV" : B — >■ A", such that for 
alH G {1, . . . , n} we have (iV* M) =^ 3 ^ /*. 

We denote this property by {A^ x . . . x ^”) <l B, and say that the n -I- 1-uplet 
(M, , . . . , N'^) is a witness for {A^ x . . . x A”) < B. In the special case where 

n = 1 with A^ = A, we simply write A <l B, and say that is a retract of B. 

Remark 1. In this definition, we do not require . . . , to be the only free 
variables of M. Thus, for all subset {ti, . . . , ip} of {!,..., n|, (M, , . . . , W") 

is also a witness for {A^^ x . . . x A^f) < B. In particular, if 0 denotes the empty 
product, every term of type i? is a witness for 0 <\ B. 

Our first aim will be to build two sets of terms, C and T> , and to show that the 
existence of a witness in C x 21” for a relation of the form {A^ x . . . x A") <l B, 
is decidable. 

1.2 Projections, Coders, and Decoders 

— we let ( 0 ° — >• o) = o, and (o”+^ — >• o) = (o — >• (o" — >• o)). 

— we call projection every term of the form 

Uf = Xxi... Xn-Xi : (o” o) (i G { 1 , . . . , n|). 

— we call selector every closed term whose type is of the form 

B\ . . . Bjn (o” — >■ o). 

— we let C, 21 be the least sets of terms satisfying the following: 

— / : o G C, for all variable / of ground type. 

— Xx.x : o — >• o G 21. 

— Suppose the types A^,. . . ,A'^,B are of the following form: 
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A'‘ — A\ . . . A'p^ — >■ o (i G {1, . . . , n}), 

B = Bi . . . Bm — > o. 

Let /^ : : A^, Zi \ B\, . . . , Zm ■ Bm be distinct variables. 

Let S he & selector of type Bi . . . Bm — >■ (o” — >■ o). 

For each i G {1, . . . , n}: 

Let (pi be an arbitrary function from {1, . . . to {1, . . . , m\. 
For each j G {1, . . . ,pi}, let D* : A* G V. 

Then, the following term C : B belongs to C: 

C = Xzi . . . Zm-{XX Zi . . . Zm) (/ (L^l ■2^0i(l)) ■ ■ ■ i^pi ^0i(pi))) 



The term E will be called the main selector of C. 

— Let yi Ai, . ■ ■ ,yp '■ Ap he distinct variables. Let C\ : Si , ... , Cm '■ Bm 
be terms in C whose free variables are all amongst yi, . ■ ■ ,yp- Let g be a 
fresh variable of type B = Bi . . . Bm Then: 

D = Xg yi . . . yp.{g C\ . . . Cm) ■ B — >■ {A\ . . . Ap — >■ o) g S 

We call coder every element of C, and decoder every element of T>. 

1.3 Observational Equivalence 

We define the equivalence relation = on the set of selectors with: 

let E, E' be selectors of same type B\ . . . Bm — >■ (o" — >■ o). Then E = 

E' if and only if for all projection II : (o" — >• o) and for all term F, 

(FE) =^n^{FE') =0 n. 



Proposition 1. The number of selector classes of any given type is finite. More- 
over, there exists a computable function which, given an arbitrary selector type, 
returns a set of selectors of this type which is complete, up to =. 

Proof. This follows immediately from the fact that, on one hand, the relation 
= on selectors coincide with observational equivalence in the minimal model of 
simply typed A-calculus, on the other hand, this model is decidable. See |Fad95| 
for details, or |Schh8| for an alternate proof of decidability, or jLoa.hTj for a brief 
presentation of Schmidt-Schaufi’ algorithm. 

We extend = to coders and decoders with the following definition: 

— let C, C be coders of same type, same free variables f^:A^,...,f^: A", of 
the following forms: 

- C = XEiEz){f^u^)...{ru^), 
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- C = Xz.{S'z){pv^)...{rv^). 

Then C = C" if and only if: 

— E = S' , i.e. the main selectors of C, C are equivalent, 

- for all z, j, if u’j = {D z) and v* = {D' z'), then z = z' and D = D' . 
— let D, D' be decoders of same type, of the following forms: 

- D = \gy.{gCi . . .C„), 

- D' = \gy.{gC'^...C'J. 

Then D = D' li and only if for all A: G {1, ... , m} we have Ck = C'j^. 



Lemma 1. Let C,C be coders. Suppose C = C . Then for all term F and all 
projection II, we have FC =f} II if and only if F C =g II. 

Proof. Assuming C = C , the terms C, C are of the following forms: 

- C = Az.(A2)(/i #)...(/" zZ”), 

- C = \z.{S'z){f^v^)...{rir), 

with S = S'. Suppose for instance {F C) =g II. Then /i, . . . , /„ are not free in 
the normal form of {F C), therefore: 

n=p{FC)_ 

=p (FC[Ad.T//i,...,Ad.T//„]) 

=pF{\z.{SzS)) 

where T denotes a sequence of T of length n. Now, the main selectors S, S' of 
C, C are equivalent, therefore: 

n =p F {Xz.{s' zT)) 

=p (FC'[Ad.T//i,...,Ad.T//„]) 

=/5 {FC) 

Lemma 2. Let C he a coder, D a decoder. If{C,D) is a witness for A <]B, and 
if C = C and D = D' , then (C", D') is a witness for A <l B. 

Proof Let / be the variable such that {DC) f. We use induction on the 
type B of C and C' to show that {D' C) =gr) /• According to the definition of 
equivalence, the considered terms are of the following forms: 

- C = Azi . . . z^.{Sz){p #) . . . (/" C), 

- C' = Xzi... Zm.{S' T)(/l Zjl) . . . 

- D = Xgyi . ..yp.{gCi . ..Cm) = Xgy.{gC), 

- D' = Xgy^... yp.{gC, ...C'm) = Xgy.(gC'), 

with S = S' and Cfc = for all fc G {1, . . . , m}. Suppose / = /*• In that case, 
the sequences u', lA are of the forms {u\,. . . , Up), {v\, . . . ,Vp), and: 

-{SC)= 0 Bf, 

- {DC) =0 Xy.{fvI)[C/z] =pp Xy.{fy). 
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Since S = S', we have (S c') =/? 7T”. Since Ck = for all fc S {1, . . . , m}, by 
lemma Ewe have (S' c') =p 7T". Therefore {D' C) =0 Xy.{fv')[C'/z]. Now, 
for all j, for k and d such that u' = {dzk), we have: 

— Vj is of the form {d' Zk) with d= d', 

— u'[C/z] = (dCk) = 0 r, Vj, 

— by induction hypothesis, v'[C /z] = {d' C'f.) =/ 3 r, yj- 

We conclude that (D'C") =0 Xy.{P v')[C' /z] = 0 ^ Xy.{py) = 0 ^ f\ 

Theorem 1. Let A" be typed variables. Let B be an arbitrary 

type. Then: 

— the number of classes of coders of type B and free variables . . . , is 
finite, 

— for all i, the number of classes of decoders of type B ^ A' is finite. 

Moreover, there exists a computable function which takes as an input the typed 
variables p : A^ , . . . , f'' : A'' and the type B, and returns a representative of 
each class. 

Proof. The proof of finiteness and the simultaneous construction of complete 
sets of representatives is straightforward, using induction on B, proposition E 
and lemmas G] and El 

Corollary 1. Given the types A^,...,A'^ and the type B, the existence of a 
witness in C x V'' for {A^ x ... x A") <i B is decidable. 

Our next aim will be to prove that if {A^ x ... x A”) < B, then there is indeed 
a witness in C x 2?" for this relation. As an immediate consequence, we will get 
the decidability of < 1 . 

2 Witness Conversion 

This section presents an algorithm. Convert, which takes as an input an arbi- 
trary witness (M, N^, . . . , Np for (A^ x . . . x A") <l B, and returns a witness 
{C, D^, . . . , Dp in C X 2?” for this relation. 

2.1 Linearization 

Note that if (M, N) is a witness for A <l 23, then the /3-normal, 77 -long form of N 
is necessarily of the form XgXy.{g . . .) with g of type B. The following function 
is intended to transform N into a term with a single (head) occurrence of g. 

Function Linearize {M : B, f : A, N : B ^ A) 

assuming N closed and {N M) = 0 ^j f. 
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0. Redefine N as the /3-normal, ry-long form of N. 

Let Mj_ = M[\d.-L/ , . . . , Ac?._L//”], where /^, are all free variables 
of M. 

1. Let \g\y.{g ui . . . Um) = N. 

2. If \y.{M±ui[M/g\ . ..Ujn[M/g\) =/3n f, 

redefine N as the normal form of XgXy.{M± ui . . . Um), and goto 1. 

3. If \y.{M Ui[Mj_/g] . ..u^lMj^/g]) /, 

redefine N as the normal form of Xy.{g ui[M±/g] . . . Um[M±/g]), and return 
N. 

Remark 2. At step 1, Xy.{M ui[M/g] . . .Um[M/g]) f, where / is free in M 
and not free in wi, . . . , Um- Therefore, one and only one of the conditions at steps 
2 or 3 is satisfied. 

Note also that all reductions of {N M±) are of finite length, therefore this 
algorithm terminates. It is not hard to check that N' = Linearize {M, /, N) is 
closed, and that we still have (iV' M) /. 

2.2 Conversion 

Function Convert {M : R, /^ : A\ A", /Vi : B ^ A\ ..., /V” : R ^ 

assuming B = Bi . . . Bm — >■ o . . . , f" distinct, and for all i G |1, . . . , n|.' 
A^ = A\... ^ o, iV* closed, {N^ M) =/ 3 n f, 

0. If n = 0, return Ad._L : B and exit. 

1. For each / ^ {/^, . . . , /”} free in M, redefine M as M[Ad._L//]. 

For each / G {I, . . . , n}: 

let Xgy\ . ,.yp..{gu\ . = Linearize{M , f\ N'‘) . 

2. Define B : Bi . . . Bm — >■ (o” — >■ o) as the normal form of 

XzXxi . . . a;„.(M[Ad.xi//\ . . . , Ad.x„//”] z). 

3. For each / G {1, . . . , n}, for each j G {1, . . . ,Pi), 

— let <j be the least substitution satisfying: 

• where the A* are fresh variables, 

• = Ad.J- : A* for all fc G {1, . . . ,n}, k ^ i, 

— let w] : A* be the normal form of AA*.(cr(M) z). 

4. for each / G {1, ..., n}, 

— for each A: G {!,..., m}, let b\ = u\[Xd.Lly \, . . . , Ad._L/j/pJ. 

— for each j G {1, • . • ,Pi}, define 4>i{j) as the unique k G {!,..., m} such 
that the term 

w] = v][b\/zi, bl_^/zk-i,bl^^/zk+i , . . . , bl^/zm] 
satisfies w^j[ul/zk] =/ 3 t, y}- 

5. For each / G {1, . . . , n}, for each fc G {1, . . . , m}, 
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- let {ji, . . .,jq} = ^{k), 

- let ,D^ : B^ ^ A^) 

= Convert {u\,y]^, . . . ,y]^,\zkw)^, . . . ,\zkw)^). 

6 . Define C : B as Xz.(Sz) (/^ {D\ 20i(pi))) 



For each i G {!,..., n}, define : B ^ A^ as 
7. Return (C, . . . , D"). 

2.3 Faithfullness 

Lemma 3. Suppose (C, ■ • ■) = Convert{M, ... , . . .). Then, for all term F and 
all projection B, we have {F M) =p II iff {F C) =0 II. 

Proof. Suppose {F M) =0 II or {F C) =p II. Then /i, . . . , /„ are not free in 
the normal form of {F M), or not free in the normal form of {F C). According 
to steps 2 and 6 , we have: 

{FM) 

{FM[\d.F[f\...,Xd.F/r]) 

=ft F{Xz.{SzF)) 

=0 {FC[Xd.F/f\...,Xd.F/r]) 

=/3 (FC) 

where _L denotes a sequence of _L of length n. 



Lemma 4. Let {M, N^, . . . , N'^) be a witness for {A\ x . . . x A”) <l B, such that 
M) P for all i. Then {C, , . . . , Dp = Convert ( M, /, A^) belongs to 

C X P”, and is still a witness for this relation. 

Proof. Assuming n > 0, we use induction on the type B oi M and C. Let us 
trace the construction of C, D^, . . . D” in Convert. 

At step 2, {N^ M) =jj Xp.(Mu^) =^ 3 ^ /* implies (27 m*) =p Bf. 

At step 3, {MlT) =^ 3 ^ (PP) implies u*[u*/z] =^ 3 ^ AA*.(y( X]) =pr^ y]. Note 
that all free variables of u* belong to {zi, . . . , Zm}- 

At step 4, v*[m*/z] = 0 r^ y* implies the existence of a unique k G m} 

such that the free occurence of y* in the /Jy-normal form of Vj[jT/z] is a residual 
of a free occurence of y* in m^. Thus, (j)i{j) is well defined. Note that is 

the only free variable of wf 
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At step 5, for alH G n} and all j G {1, ■ ■ ■ ,Pi}, we have 

=i 3 t] y]- Therefore, for all i and all fc G {1, . . . , m}, 
{ul.,Xzk'w^j^, . . . ,XzkWjJ is a witness for x ... x A®^) < Bk- By 

induction hypothesis, Cl is a coder, , . . . , are decoders, and 
{Cl,Dj^,. . . ,DjJ is a witness for (A®^ x ... x A®^) < Bk- In other 
words, for all i,j we have Vj’ therefore we have 

{{Xz.r {D\ . . . {d;^ c^) = 0 r, if y\--- yp- 

At step 6, obviously C is a coder and the D^, , ZZ®® are decoders. According 
to the analysis of step 5, it remains to check that for all i we have (A C*) =/3 ZT®®. 
We already know that (A?Z®) ZT", and that each Cl was computed by feeding 
Convert with u\ as first argument. By lemma El for all F, {F u\) =p ZT^ implies 
(F Cl) =0 ZI®®, so we are done. 

The faithfullness of the conversion immediately implies: 

Lemma 5. If (A^ x . . . x A®®) < B then there is a witness in C x 2Z®® for this 
relation. 

At last, we obtain our expected main result: 

Theorem 2. The relation <1 is decidable. 

3 Conclusion 

So far, we have proved that the existence of a definable retraction between two 
simple types is decidable, in the special case of one ground type o, with a constant 
T of type o. The generalization to many ground types, with one constant of 
each ground type, requires only minor modifications of our proof, thanks to the 
following lemma: 

Lemma 6. If A^x. . .x A®® <|Z? then A^, . . . , A®®, B are of same rightmost ground 
type. 

Proof. Suppose A < ZZ, with A = Ai . . . Ap — >■ o and B — B\ . . . Bm — t o' ■ Take 
M : B and a closed N = Xgyi .. .yp.{gu) : B ^ A such that (NM) =/Sn /• 
Then the /Zry-normal form of (M u[M/g]) : o' is equal to (fy) : o, hence o = o'. 

As a consequence, if we consider many ground types, the linearization and con- 
version algorithms still work as they are0 and all we need to do is to abstract 
o at the right places in the definitions of selectors, coders, decoders. The de- 
cidability still holds, due to the fact that a minimal model built with finitely 

^ The assumptions made in Convert ensure that A*^, . . . , A", B are of same rightmost 
ground type o, so the selector built at step 2 is indeed of type Bi . . . Bm — ^ (°®* °). 

At step 1, T becomes implicitely a constant of adequate ground type. Linearize can 
be leaved unchanged, because it is always called with /i, . . . , /„ of same rightmost 
ground type: a single constant T is required to compute M±. 
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many ground types is decidable, and that we do not need any other ground 
types than the ones appearing in . A^, B in order to build in C x 2?" a 

witness for x . . . x <J B. Furthermore, we can easily get rid of all constants 
by using instead fresh variables, distinct from every other variable mentioned in 
our proofs and definitions, and by modifying accordingly the notion of “closed” 
term. 

In conclusion, let us remark that this proof leaves open the existence of 
a type system from which all definable retractions could be inferred, whithout 
appealing to some syntactical criterion - this question probably requires a further 
understanding of the minimal model itself. Still, it is possible to extract from 
the proof of lemma 0 an alternate proof of the following theorem, which is an 
immediate corollary of the Witness Theorem in !LPS92| . and which provides an 
incomplete characterization of definable retractions: 

Theorem 3. Let A = Ai . . . Ap ^ o, B = Bi . . . B^ o he simple types. If a 
definable retraetion exists between A and B then, for all j, there exists a k such 
that a definable retraetion exists between Aj and Bk- 

Indeed, in lemmaEl as we reconstruct a witness for {A^ x . . . x A^) oi? we prove, 
for each i and for each j G {I, . . . ,pt}, the existence of an fc = 4>i{j) such that 

A] <1 Bk. 
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Abstract. An examination of Girard’s execution formula suggests im- 
plementations of the Geometry of Interaction at the syntactic level. In 
this paper we limit our scope to ground-type terms and study the paral- 
lel aspects of such implementations, by introducing a family of abstract 
machines which can be directly implemented. These machines address 
all the important implementation issues such as the choice of an inter- 
thread communication model, and allow to incorporate specific strategies 
for dividing the computation of the execution path into smaller tasks. 



1 Introduction 

This paper proposes novel parallel implementation techniques for the A-calculus 
based on the geometry of interaction (Gol) lOTI . Gol-based implementation 
is quite different from other techniques: it uses a graph representation of each 
term, from which its value is derived by performing path computations, which 
can be done locally and asynchronously. This encompasses both /3-reduction and 
the variable substitution mechanism. 

Informally, for every ground-type term there is a path which leaves from the 
root of the respective graph, and traverses the term, finishing back at root. This 
path will survive reduction; in particular in the normal form of the term, it will 
simply go from the root to the constant which is the value of the term. The Gol 
treats this path algebraically, by assigning a weight to every edge in the initial 
graph. This allows, on one hand, to identify the unique path which survives 
reduction, and on the other hand, to calculate algebraically its weight, which is 
invariant throughout reduction, and equal, in fact, to the value of the term. 

The geometry of interaction has been developed as a semantics for linear 
logic proof-nets Gombined with a standard translation of the A-calculus into 
these nets, the results may then be lifted to the scope of functional programs. 
The nodes in the graph of each term are logical symbols with premises and 
conclusions, and each orientated edge links a conclusion of a node to a premise 
of another node. Paths are sequences of (direct • — > ■ or reverse • ^ — •) edges. 
Straight paths are those that do not bounce (i.e., no edge is followed by the same 
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edge in the opposite direction) and do not twist (a path arriving at a premise of 
a node is not followed by an edge leaving from the other premise) . 

Persistent paths are those that remain invariant with respect to reduction, 
and the geometry of interaction is a tool for calculating them: Girard’s execution 
formula gives the interpretation of a term as a set of straight paths (called regular 
paths) which are proved P| to be exactly the persistent paths. 

Regular paths are calculated algebraically: edges in the graph are labelled 
with a weighf a term in the Gol dynamic algebra C* . The weight w{-) of a path 
is defined inductively: w{e) = 1 for the empty path e, and w{tj) = ■ w{t) 

where 7 is a path and t an edge, and • denotes composition in C*. For the case 
of ground-type terms a single persistent path exists which starts and ends at the 
root of the graph, and the term can be evaluated by calculating its weight. 

Implementation via Gol. The first work which proposed to use the Gol as an 
implementation mechanism j2] defined virtual reduction (VR), a local and conflu- 
ent reduction on graphs, which already suggested the use of parallelism. Virtual 
reduction allows to add to a graph new edges representing composed paths. 
Since it preserves the execution of terms, VR provides a way of calculating reg- 
ular paths. In order to avoid compositions corresponding to bouncing paths, as 
well as the repeated compositions of pairs of edges, virtual reduction filters the 
weights of the composed edges, for which an extension of the algebraic structure 
is required. This makes the calculations rather complex. 

Directed Virtual Reduction P, applied with the combustion strategy, elim- 
inates this complexity and achieves strong local confluence, but at a cost: the 
introduction of many bureaucratic reduction steps. To the best of our knowledge, 
only the directed version has been implemented HH, with the introduction of 
the half-combustion strategy, which allows for a higher degree of parallelism. 

The other way in which Gol has been used for implementation was by turning 
graphs into bideterministic automata, attaching an action to each edge. Actions 
act on contexts (which play the role of words) , as given by the context semantics 
of 0. The first Gol implementation m was in fact obtained in this way, for 
the PCF language: the Geometry of Interaction Machine compiles terms into 
assembly code of a generic register machine, which runs an automaton. 

Our Approach. In this paper we apply the execution formula directly. Our ap- 
proach resembles VR in that it is syntactic, however it uses C* rather than 
the more complicated structure of VR, thus algebraic manipulation is kept sim- 
ple. This simplicity is a result of the representation of terms using matrices of 
weights, following Girard’s presentation of the Gol. 

From a data-structures point of view, matrices are a convenient representa- 
tion for graphs. We have studied elsewhere H2| sequential algorithms for calcu- 
lating execution paths, derived from the execution formula and using the same 
matrix representation that will be used here. 

We achieve concurrent execution by calculating segments of the path (as- 
signed to different threads of computation) starting from different nodes of its 
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graph, and allowing the threads to communicate so that the weight of a finished 
segment can be used to calculate the weight of another (longer) segment. 

Each implementation in this paper will be presented as an abstract ma- 
chine, an abstract rewriting system working on machine configurations. While 
strongly based on the theory, each machine addresses all the major implementa- 
tion questions, including the choice of a model for inter-thread communication 
(shared-memory vs. message-passing) and synchronization issues. The machines 
are parameterized, allowing to impose different path reduction strategies. 

Plan. In Sect. |5| we briefly review basic concepts of the geometry of interaction. 
Section 0 defines the computational tasks that will be distributed for parallel 
execution, and in Sect. 0 a shared-memory abstract machine is defined. This is 
optimized in Sect. 0 to eliminate the need for synchronization mechanisms. In 
Sect.0 we study redundant path computations and propose an abstract machine 
that gets rid of redundancy. Section Qdefines a distributed- memory machine, and 
in Sect. Elwe conclude with some comments about implementing these ideas. 

The long version of this paper contains proofs and examples of execution. 



2 Background 



Our treatment of the theory here is necessarily superficial; for a more thorough 
introduction to Gol (including VR and DVR), see I6I5I2I3I . 



The Language. We will use a typed A-calculus with a single base type. The 
syntax of our terms (ranged over by t, it, v) will be (with x, y, z variables, n an 
integer constant and S the successor function): 

t ::= n I S I a; I itu I \x.u 

The typing rules are the standard ones: if with x : a we have M : r then Xx.M : 
a ^ T\ \i M ■. a ^ T and N : a then MN : r. The constants S : nat nat and 
n : nat have the expected types. The reduction rules we wish to implement are 
/3-reduction and a <5-rule for the constants: 

{\x.t)u — > t[u/x] 

Sn — > n -I- 1 

All the results in the paper can be extended to include conditionals and recursion; 
we choose to keep the language as simple as possible for the sake of clarity. 



The Geometry of Interaction Dynamic Algebra C* . We define a single-sorted 
signature with constants 0, l,p, q, r, s, t, d; two unary operators (•)* and !(•), and 
an infix (denoted by .) binary composition. The equational theory C* is defined 
over this signature as follows (where variables x, y stand for arbitrary terms): 

— The structure is monoidal, with identity 1 and composition as multiplica- 
tive operation, and 0 is an absorbing element for composition. Associativity 
allows to write u.v as uv, and both u.{v.w) and {u.v).w as uvw. 
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— The inversion operator (•)* is an involutive antimorphism for 0, 1, and com- 
position: 

0 * = 0 1 * = 1 
(a;*)* = X {xy)* = y*x* 

— The exponential operator ! is a morphism for 0, 1, inversion, and composition: 



!( 0 ) = 0 !( 1 ) = 1 

!(a;)* = !(a;*) !(a;)!(y) = !(a;y) 

— The constants verify the annihilation equations: 

c*c = 1 for c = q,p,r, s,t, d 
q p = p q = 0 
r* s = s*r = 0 



— The following commutation equations are verified: 

!(a;)r = r!(x) !(x)s = s!(x) 

!(x)t = tU(x) !(x)d = dx 

— To accomodate our language, we extend this theory following with con- 
stants n (for each natural number) and S, with equations: 



nS = S(n + l) S*S = 1 

Each commutation equation has a dual form as a consequence of {xy)* = y*x* , 
for instance, d*!(x) = xd*. A binary sum operator may also be included in this 
theory, which is commutative and associative, has 0 as identity, and composition 
distributes over it. We call £lj_ the theory £* extended with this operator. 



Execution Paths. The standard presentation consists in first defining the weight 
of paths in proof-nets. Execution paths are regular (i.e. their weight does not 
equal 0 in £*) and have as source and goal conclusions of the net. A translation 
of A-terms into nets allows to lift the interpretation to the A-calculus. 



Decidability of Regularity. The term-rewriting system TZc* is obtained by orien- 
tating from left to right all the equations in £* (including the dual commutation 
equations). 'R-c* is confluent 1 1 3j . A stable form is 1 or any term a\{m)b* in £* 
where a and b are positive flat terms, i.e., they contain no applications of (•)* or 
!(•), and m is stable. Stable forms are normal with respect to TZc*. Every stable 
form is equal to some term AB* with A and B positive but not necessarily flat. 

Proposition 1 {AB* property pl^K5(j). If j is a straight path in some net 
then its weight w{j) can be rewritten either to a stable form or to 0. 

Let 7 be a path with w{'y) rewritable to a stable form ab*. Since for a positive 
monomial x, £* h x*x = 1, then £* h a*ab*b = 1, and £* h a*w{'j)b = 1. 
Thus £* \/ w{'y) = 0 (otherwise £* h 0 = 1, contradicted by the existence of 
non-trivial models for £*). This gives a decidable process for checking regularity. 



Parallel Implementation Models 389 



Matrix Presentation. The interpretation or execution of a net is the set of all 
tuples {s,d,ip) such that there is an execution path with source s, goal d, and 
weight with s, d (the indexes of) two conclusions of the net. One way to 
represent this is as a matrix of weights indexed by the conclusions of the net. 

Following Girard (S| we associate to a proof a pair of matrices (II*, cr), indexed 
by the terminal ports of the corresponding proof-net. These are either conclusions 
of symbols which are connected to cut links, or conclusions of the net. An up- 
down path is a path that starts upwards at a terminal port and ends downwards 
at a terminal port. An elementary path is an up-down path which doesn’t cross 
any cut link. The matrix II* associated to a net contains all the (sums of the 
weights of) elementary paths in it, and a contains information relative to the cuts 
in the net (it corresponds to an involutive permutation on the non-conclusion 
terminal ports). In the long version of the paper we show how to build these 
matrices directly from a A-term. 

Definition 1 (Execution Formula). Lett be a term and (II*, cr) the matrices 
associated to it. The execution of t is defined as follows, where C is called the 
central part of the formula: 

CO 

Exit) = (1 — cr^)C(l — cr^) where ^ = n*E(^n*)'= 

fc =0 

In this paper we only interpret ground-type terms. In these conditions the 
execution formula expresses an invariant on computation: if t — > t', then 
Exit) = Exit'). The unique conclusion (or root) of the corresponding proof- 
net will by convention have the highest index in the matrices. Exit) is a square 
matrix of dimension N containing 0 everywhere except Exif)N,N-, which is the 
weight of the execution path of t. The following result from cni is the last in- 
gredient required for using the execution formula as an evaluation device: 

Proposition 2. If t has ground type and reduces to a constant c, and cf is the 
weight of its execution path, then C* \~ cf = c. 

3 Basic Computation Tasks 

As far as the design of an abstract machine is concerned, the first step is to 
choose a notion of basic task of computation. Then the operation of the machine 
simply manages the concurrent execution of these tasks by the available threads. 

Let be a path ending at a terminal port connected to a cut link C. A basic 
task is the action of composing (f with all the paths consisting of the cut link C 
followed by (i) an elementary path or iii) any other up-down path. An element 
(crll*)i j is the weight of a path starting downwards at terminal port i, crossing a 
cut, and traversing an elementary path. If ip ends at port i, multiplying its weight 
by the row vector ((rn*)i captures the first case above. By adding the weights 
of other up-down paths to a copy of crll*, the second case is also captured. 
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Auxiliary Functions. Let N be the number of terminal ports in a net Af. We 
consider defined (in the context of a configuration) a matrix of weights B of 
dimension N (initially containing a copy of crll*), and a predicate storePred on 
paths, represented as tuples (s, d, ip), with s and d the source and goal ports, and 
if their weight. storePred identifies paths which will cease to be grown. Instead, 
their weight will be stored to be reused later. The path starting at root should 
never stop being grown, thus one imposes storePred(iV, d, </3) = false. 

The function Ics takes as argument a path (s, d, ip) and returns a pair (^i, I 2 ) 
of lists of paths. This pair is obtained by composing the weight ip with all the 
weights in the row indexed by d in matrix B, and including each of the resulting 
weights {s,m,T) in li or I 2 according to whether storePred (s, m, r) holds or not. 

A related function I',, also takes a path (s,d,ip) and returns a pair (^ 1 ,^ 2 ) 
of lists, now obtained by composing every weight stored in the column indexed 
by s in matrix X (part of the current configuration) with ip, and splitting the 
resulting paths using storePred. The use of I',, will become clear in sectionEl 

4 Shared-Everything Abstract Machines 

In this section we define a first abstract machine (i.e., a notion of configurations 
and a reduction relation) corresponding to a shared-memory implementation. 

Definition 2. An SE-configuration is a tuple (i? | S' | C | [ti, . . .tm]) where 

~ B is a matrix of weights of paths of dimension N , representing a net. 

— S, C G (N X N X £*)* are the storage and composition task lists, respectively. 

— Each thread tk is a State, a term built from the following signature: 

store : N X N X £* — >■ State compose : N x N x /!* — >■ State 

delist : State stop : C* — >■ State 

enlist : (N X N X £*)* x (N x N x £.*)* State 

We will use the following definitions in the context of a configuration: Nd = 
{n G N I n < N} and Nt = {n G N | n < m}. 

The abstract machine rules are given in Table [Q where we omit some un- 
changed components. Standard notation is used for lists. The auxiliary function 
add{B,i,j,a) gives the matrix obtained by adding the weight a to Bij. The 
rules define a reduction relation — > on single-threaded configurations. 

Definition 3 (SE Reduction). The reduction relation on multi-threaded 
eonfigurations is the smallest relation verifying: 

(R I 5 I C I [E] )^{B\S\d\[U]) 

{B\S\C\[h,...U,...t,^])^{B\S\C\[h,...U,...trr,] ) 

Definition 4. A tuple (s, d, (f), where cj) G £+, is said to belong to the execution 
of a term iff 4> ean be written as a sum 4> = 4>n, such that for each 4>n one 

has (f>n + o.n = (n*((rn*)®")s_d for some in and some term an G £+. 
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Table 1. Shared-everything (SE) abstract machine 



0 


Net 


B 


B 


S ^ N 


Thread 


compose(s, d, p) 


stop(y>) 


I 


Net 


B 


add{B, cr(s), d, p) 




Thread 


store(s, d, p) 


delist 


II 


Net 


B 


B 


sp N or dp N 


Thread 


compose(s, d, p) 


enlist(Ics('S, d, p)) 


III 


STasks 


S 


(s,d,p) : S 




Thread 


enlist((s, d, (/j) : Tg,Tc) 


enlist(Ts,rc) 


IV 


CTasks 


C 


(s,d,p) : C 




Thread 


enlist(e, (s, d, p) : Tc) 


enlist(e, Tc) 


V 


Thread 


enlist(e, e) 


delist 


VI 


STasks 


(s,d,p) : S 


S 




Thread 


delist 


store(s, d, p) 


VII 


CTasks 


(s,d,p) : C 


C 




STasks 


e 


e 




Thread 


delist 


compose(s, d, p) 



The following propositions establish sufficient conditions for the correctness of 
the machine and for the execution path to be computed. 

Proposition 3. Let t be a term represented as (II*, cr), and Sq = (ull* | e | 
Co I [delist ... delist]) a eonfiguration where Cq eontains only paths (z,_), II*^ ) 
taken from II*, excluding repetitions. Let Sq — S = {B\S\C \ [ti . . . tm] ). 

1. If tk is some thread in E and tk = composers, d, ip) or tu = store(s, d, </?), 
then (s,d,p) belongs to the execution oft. 

2. If tk = enlist(T„, T),) is some thread in E and (s,d,p) G Tg or (s,d,p) € T^, 
then {s,d,p) belongs to the execution oft. 

3. If (s,d,p) € S or (s,d,p) G C, then (s,d,p) belongs to the execution oft. 

4-. For all s,d, the tuple {a{s),d, Bg^d) belongs to the execution oft. 



Proposition 4. Consider an initial configuration in the conditions of Prop. E| 
where additionally Cq contains the paths (IV, j, II^^) such that yf 0. Then 
the machine stops with a final configuration E containing a thread in the state 
stop(<^), where p is the weight of the unique execution path of the term. 

Deterministic Execution. For initial configurations Eq in the conditions of 
Prop. El with Cq containing only the weight of the path in row N of II*, ex- 
ecution of the abstract machine is deterministic and equivalent to the Geometry 
of Interaction Machine m- There is always a single path inside the machine, 
that results from growing the unique elementary path with source the root of 
the term, and given the ground-type of the term, the result of each step (and 
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each invocation of Ics) niust be a unique path, for which the storePred predicate 
always returns false, thus a new compose task will be generated with the new 
path as argument. 

Concurrent Execution. The present machine is a formalization of a variant of the 
producer-consumers model for (shared-memory) parallel programming, where 
the consumer threads are also producers, running the following cycle: first de- 
queue a task from the shared queue, then process it (possibly enqueueing new 
tasks); restart. In the abstract machine there are two different task lists, with 
different priorities (store tasks have higher priority than compose tasks). 

The concurrent behaviour of comes from sequentiality with non-deter- 
minism. A single thread executes a machine rule at each step of the — > reduc- 
tion, allowing to capture synchronization when accessing shared data-structures. 
For instance, if two threads may execute at the same time rule I, there will be a 
(2 step) reduction with the correct result {B is changed by the two threads). 

If parallel computation is desired, one must add more paths to Cq than those 
in row N of II*. These paths will be concurrently grown into longer regular paths. 
When a path ip computed by thread t\ reaches a port from which another path 
if' has been grown by t2, p>' will be used for extending Lp. At this point, ti and t2 
communicate using matrix B\\is and d are the source and goal ports of p>' , then 
the weight Lp' will be added to the current weight in and composition of 

Lp with Lp' will happen naturally since ( t ( s ) is the goal port of Lp. 

One could devise a strategy for virtual reduction mimicking the abstract 
machine - given a set of nodes, grow all the paths leaving from those nodes. In 
VR each composition results in a new edge immediately incorporated in the net, 
whereas the machine will only perform store operations (which will add paths 
to the net represented by matrix B) with selected paths (which then cease to 
be grown). To illustrate this point, consider the net in Fig. ^ where a path is 
to be grown starting from the source of the edge Lp^. Virtual reduction produces 
the net on the left, where lpq has been composed with 71 to give Lpi, which has 
then been composed with 72 and so on. The abstract machine grows the path 
lpq until StorePred is verified, and only then does it store the result path Lp. 





Fig. 1. Example path reductions 
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The machine is parameterized on which paths to start growing (included in 
Co), and on the predicate storePred. One possible criterion is given in Sect. El 

Implementation. The abstract machine may be implemented in any shared- 
memory architecture; threads in a configuration will be mapped into machine 
threads independently running the machine rules; threads will run in true paral- 
lelism, with synchronization introduced for accessing the shared data-structures. 
This ensures that the behaviour of the implementation corresponds to the inter- 
leaving reduction of the abstract machine. Any shared-memory library contains 
the appropriate synchronization devices, which we will here call locks. 

Synchronization is required for accessing the shared task lists S and C, which 
may be read and written by any thread. This is done by associating a lock to 
each list: the C-lock must be acquired before and released after execution of 
rules IV and VII, and the same happens for the S'-lock with rules III and VI. 

Since the elements in a matrix are stored in independent memory positions, 
they can be protected individually, rather than treating B as a, monolithic struc- 
ture with a single lock. Synchronization is needed when two threads execute 
simultaneously rule I with the same s,d arguments: the individual lock associ- 
ated to i?cr(s),d must be acquired by a thread store ( s, d, :/?) executing rule I. 

5 Distributed-Task-Lists Abstract Machines 

Much synchronization is required for the parallel implementation of the SE- 
machine. We will eliminate this by including in threads private task lists. 

Definition 5. A DTL-configuration is a tuple {B \ [ti, . . .tm]) where 

— B is a matrix of weights of paths of dimension N , representing a net. 

— Each tk is a thread, tk = {Sk \ Ck \ stk), where Sk,Ck S (N x N x £*)* are 
the storage and composition task lists of the thread, respectively, and stk its 
state, built from the same signature as before. 

Table El defines a reduction relation — > on single-threaded configurations (rule 
0 will henceforth be considered implicit). We then define the following: 

Definition 6 (DTL reduction). is the smallest relation verifying 

{B I [E] )^{B\ [U] ) 

{B I [ti,...U,...tm] ) -^ {B \ [ti,...ti,...tm] ) 

Properties. Proposition El holds slightly modified, with initial configurations 
Vo = (crll* I where each thread t^ = {e \ \ delist), each C° 

contains only paths (s,d, II*^) from II*, and the same path does not occur 
repeatedly in any two or in the same C^. Also the third condition in the propo- 
sition is changed to “if tk is some thread and {s,d,ip) € Sk or {s,d,ip) € Ck, 
then {s,d,ip) belongs to the execution of f’. Proposition 0 holds as well with 
small modifications: in the initial configurations, the paths (A^, j,II^^) must be 
contained in some Cq. Finally another interesting property holds: 
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Table 2. Distributed-task-lists (DTL) abstract machine 



I 


Net 


B 


add{B, a{s),d, p) 




ik 


State 


store(s, d, p) 


delist 


II 


Net 


B 


B 


N 01 N 


t-k 


State 


compose(s, d, p) 


enlist(Tcs(s,d, p)) 


III 


t-k 


STasks 


S 


(s,d,p) : S 






State 


enlist((s, d, p) : T,, T,) 


enlist(Tj,Tc) 


IV 


t-k 


CTasks 


C 


(s,d,p) : C 






State 


enlist(e, (s, d, p) : Tf) 


enlist(e, Tc) 


V 


t-k 


State 


enlist(e, e) 


delist 


VI 


t-k 


STasks 


{s,d,p) : S 


S 






State 


delist 


store(s, d, p) 


VII 




CTasks 


{s,d,p) : C 


C 




ik 


STasks 


€ 


e 






State 


delist 


compose(s, d, p) 



Proposition 5. Let i : Njj — >■ Nx be any map. Consider a eonfiguration Sq = 
{B° I = (^ I I delist), and (7° eontaining only paths 

(s, d, n* sueh that i{s) = k. If Eq S and tk is any thread in S with state 
compose(s, d, (p) or store(s, d, ip), then i{s) = k. 

Remarks. Suppose i is the identity function (and there are enough threads in 
the configuration) . Then this proposition means that (with an appropriate initial 
configuration) thread tk will handle all paths with source k, and only those. An 
immediate consequence is that when executing rule I, each thread writes to 
positions located in a unique row (indexed by <j(k)) in matrix B. 

If not enough threads are available for all terminal ports, the function i will 
map terminal ports to threads. In this case each thread tk will process paths 
with source ports from a distinct set, and will thus write to positions in different 
rows of B. tk will however read from positions in any row of B. 

Implementation. Each thread reads from and writes to its own task list only 
(so no synchronization is needed for accessing those lists). As to matrix B, no 
protection is needed, because of the previous remark. Thus this abstract machine 
can be implemented as a wait-free shared-memory program (no locks used). 

6 Eliminating Redundancy 

Consider again Fig.m and a path a ending where (po starts. Two paths {ipo and 
ip) are available for composition with a. If a is composed with ip^, the resulting 
path may continue being extended by composing with 71 and so on. These are 
redundant computations, since ip has already been computed. In terms of the 
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abstract machine, after the path ip : s ^ d has its weight stored in Bg.(s),d-, the 
path a with goal the port a{s) may be composed not only with p, but also with 
the elementary ipQ from which tp was grown, whose weight still stands in the row 
indexed by (t(s) in B. The current machine either follows both paths, performing 
many redundant computations, or, if some thread extends a before p has been 
stored in B, it does not follow p at all, which sequentializes execution. 

To eliminate these redundancies, it is sufficient to remove from the net the 
path pq. In the abstract machine it can be removed from matrix B: 

Definition 7. A redundancy-free initial DTLW- configuration is any Eq = {B^ \ 
[0]at I [ti, . . - t^]), all t° = {e \ C’f. \ delist), and 



f 0 G C'fe for some k, 

\ otherwise 



There is a problem with this if p has not yet been computed: whereas before the 
path a could continue being extended by composing with po, now it will die, 
preventing computation of the execution path. This is solved by keeping account 
of all the paths candidates for composition with paths in B, and performing the 
corresponding compositions when new weights are stored in B. These “waiting 
paths” (such as a in the example) will be kept in a matrix X in configurations 
(DTL-configurations with this X component are called DTLW), and the function 
I'g will be used to perform the necessary compositions. 

Proposition El cannot hold, since thread tk will handle paths with arbitrary 
sources, generated by composing elements of X (of arbitrary source) with a 
path (s, d, p) to be stored. Thus this machine cannot be implemented without 
synchronization. A change of perspective will allow to recover Prop. E| at the 
expense of allowing threads to write to each other’s task lists. 

Table 01 contains the rules for the new abstract machine. Rules III and IV 
involve two threads. We will consider that the list of threads may be accessed 
as an array, a partial map from indexes to threads, L : NT ^ State. When 
i ^ dom(L), L[i >->• ti] denotes the union of L with the singleton {{i,ti)}. We 
will still use list notation if convenient, and ti will abbreviate L(i). 

{B\X \ [U] ) ^ (5 I X I [t)] ) dom{L) 

{B\X\L[i^ U] {B\X\ L[i ^ tl] ) 

{B \ X \ [ta,tb] ) — >HIJV {B \ X \ [ta,tb] ) a,b^ dom{L) 
{B\X\L[a^ ta, b^tb]) {B\X\L[a^ fa, b ^ h] ) 

— > III, IV denotes reduction using one of rules III or IV. A possible particular 

case for these two rules is that i{s) = k. For this reason the definition of 
includes the possibility of a single-thread reduction using rule III or IV. 



Properties. Propositions El and El hold, with Eq in the conditions of Def. |7| and 
replacing A consequence of Prop. Elis that 
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Table 3. DTLW abstract machine with mutual writing 



I 


Net 

WPaths 


B 

X 


add{B, <t(s), d, p) 
X 




State 


store (s, d, p) 


en\\st{T^g{a{s),d,p)) 


II 




Net 


B 


B 


N or N 




WPaths 


X 


add{X, s, d, p) 






State 


compose(s, d, tp) 


enlist(Ics(s, d, p)) 


III 


^i(s) 


STasks 


S 


{s,d,p) : S 




tk 


State 


enlist((s, d, (p) : Ts,Tc) 


enlist(rs, Tc) 


IV 


^i(s) 


CTasks 


C 


(s,d,p) : C 




tk 


State 


enlist(e, (s, d, p) : To) 


enlist(e, Tc) 


V 


tk 


State 


enlist(e, e) 


delist 


VI 


^k 


STasks 


(s,d,p) : S 


S 






State 


delist 


store(s, d, p) 


VII 




CTasks 


{s,d,p) : C 


C 




^k 


STasks 


e 


e 






State 


delist 


compose(s, d, p) 



— the element indexed by (s, d) in matrix B is only written by thread ti(a(s)) 
but can be read by any thread; 

— the element indexed by (s, d) in matrix X is only written by thread and 
only read by thread ti(^a(d)) (when applying function I'g). 

Proposition El no longer holds for free: a judicious choice of initial configurations 
and definition of storePred are now necessary, guaranteeing that storePred is 
verified at some point for all the paths calculated concurrently. Notably, this 
means these paths should not overlap. Let a and [3 be two subpaths of the 
execution path such that f3 starts inside a. If when the port where [3 starts is 
reached, (3 has already been stored, then the part of a that has been computed 
will be composed with /3, and the storePred predicate will never be applied to a. 

We propose as an example the following criterion: consider a set P of terminal 
ports, and include in Co all the paths II* ^ such that i £ P, and let 

storePred(s, d, tp) = {a{d) £ P or d = N) and s ^ N 

where the condition d = N is necessary to store the last subpath. This guarantees 
that paths do not overlap since each path ends where another one starts. 

Implementation. The access to matrices B and X is naturally protected - no 
two threads can write to the same position in B or X. Locks are required, for 
the individual lists of all threads, to be used as follows: 

— for executing rule III, thread tk must own the S-lock of thread 

— for executing rule IV, thread tk must own the C-lock of thread 

— for executing rule VI, thread tk must own its own S-lock; 

— for executing rule VII, thread tk must own its own C-lock. 
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Table 4. Distributed-everything abstract machine 



I 


tk 


Net 

WPaths 

State 


B 

X 

store (s, d, tp) 


add{B, <t(s), d, p) 
X 

enlist(2:)„(cr(s),d, (p)) 


II 




Net 


B 


B 


Sii N or dii N 


tk 


WPaths 


X 


add{X, s, d, p) 






State 


compose(s, d, p) 


enlist(Ics(s, d, p)) 


III 


ti(a(s)) 


STasks 


S 


(s,d,p) : S 




tk 


State 


enlist((s,d, (/j) : Tg,Tc) 


en\\st{Ts,Tc) 


IV 


^i{d) 


CTasks 


C 


(s,d,p) : C 




tk 


State 


enlist(e, (s, d, p) : Tc) 


enlist(e, Tc) 


V 


tk 


State 


enlist(e, e) 


delist 


VI 


ik 


STasks 


(s,d,p) : S 


S 






State 


delist 


store(s, d, p) 


VII 




CTasks 


(s,d,p) : C 


C 




tk 


STasks 


e 


e 






State 


delist 


compose(s, d, p) 



7 Distributed-Everything Abstract Machine 

In our final machine, threads keep individual copies of the B and X matrices. 

Definition 8. A DE-configuration is a list where each tk = \ 

Xk I 5'fc I Cfe I stk) is a thread, with Bj~ and Xk matrices of weights of dimension 
N; Sk and Ck the storage and composition task lists oftk, and stk its state. 

Table0 defines a reduction — > on one- and two-thread configurations. Then: 

Definition 9 (DE reduction). is the smallest relation verifying: 

[ti] — >[U] i^ dom{L) [ta,tb] — [taAb] a,b^ dom{L) 

L[i !->• ti] L[i !->• ti] L[a ^ ta^b^ tif] L[a ^ ta,b^ tf] 

Each thread now writes composition tasks to the task list of the thread 
corresponding to the goal port of the respective path. 

Proposition 6. Let i : No — >■ Nt be a map, and consider a configuration 
Eq = [ti, . . each t^ = {B^ \ [0]at | £ | C° | delist), and containing only 

paths (s, d, n* with i{d) = k. If Eq E and tk is any thread in E with state 
compose{s, d,(p), then i{d) = k; if tk has state store(s, d, <^), then i{a{s)) = k. 

Corollary 1. With Eq in the conditions of Prop.\^ Bg^d is only read and written 
by thread ti(s), and Xg^d is only read and written by thread ti(^d)- 

Each thread only needs to read from exactly the same positions of B and X that 
it writes to, thus the local copies of B and X do not need to be kept consistent. 
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Implementation. In an implementation of this machine, synchronization is only 
needed for accessing the task lists of individual threads, used for communication. 

In practice it is not necessary that threads keep copies of the entire matrices: 
rows of B and columns of X can be distributed so that thread tk keeps only the 
rows of B and columns of X indexed by d such that i{d) = k. 

A Message-passing Machine. We now propose a change of perspective: consider 
that the task lists are communication buffers, where messages sent to a thread 
are kept before they are received by the thread. Then the enlist operation is 
a synchronous buffered send operation, which puts a task into the destination 
thread’s buffer, delist is a receive operation, by which a thread removes a message 
from one of its buffers. Two types of messages (compose and store) may be sent 
to a thread, which will be stored in different buffers. 

The message-passing mechanisms provided by any parallel-programming li- 
brary ensure that messages are naturally ordered on arrival and placed sequen- 
tially in the corresponding buffer (thus replacing synchronization). 

8 Conclusions and Further Work 

The fact that the abstract machines allow to identify the necessary synchro- 
nization mechanisms is of great importance: an important product of this is the 
wait-free abstract machine of Sect. 0 Wait-free implementations are typically 
difficult to obtain (to understand the need for synchronization in VR the reader 
should think of a situation like • — > ■ — > ■ — > ■ where a critical pair exists) . 

The abstract machines are parameterized on the initial paths to be extended, 
as well as on the criterion to stop extending paths. This allows to implement 
different strategies for path computations (unlike virtual reduction, which, being 
a local reduction relation, has no built-in strategy). An instance of the abstract 
machines given here always incorporates a precise strategy, and this allows no- 
tably to eliminate synchronization as well as useless computations. 

The parameterization we have given in Sect. El guarantees the correctness 
of the machines in sections El and Q, but does not allow for a subpath (j> of the 
execution path to be used to extend another subpath (j)'\ only the execution path 
can be extended using already computed subpaths. This has the advantage of 
simplicity, but it remains to study other efficient criteria. 

The appropriate technologies exist for implementing the given machines in 
widely available architectures, both for shared-memory (for instance POSIX 
threads on SMP architectures) and distributed-memory (message-passing li- 
braries such as MPI or P VM) . It is worth mentioning that we have implemented 
the DE-machine using MPI, and started testing it over a local-area network. 
With respect to shared-memory implementations, it will be important to com- 
pare the wait-free (Sect. ED and the redundancy-free (Sect. ED machines. 
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The complexity of /3-reduction in low orders 
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Abstract. This paper presents the complexity of /3-reduction for re- 
dexes of order 1, 2 and 3. It concludes with the following results — eval- 
uation of Boolean expressions can be reduced to /3-reduction of order 1 
and /3-reduction of order 1 is in O(nlogn), /3-reduction of order 2 is com- 
plete for PTIME, and /3-reduction of order 3 is complete for PSPACE. 



1 Introduction 

The mechanism of evaluation in functional languages is based on /3-reduction. 
Thus, it is interesting to study the complexity of the decision problem to answer 
if a given value (a lambda term) is a result of some program (another lambda 
term). As most functional programs do not use functions of a very high order, 
we restrict the research to low orders. This paper concerns reductions in 1st, 2nd 
and 3rd orders of simply typed lambda calculus. 

Another good reason to study these problems is application of the results and 
techniques to the study of the problem of higher-order matching. Known higher- 
order matching algorithms are usually based on check if a term obtained by some 
calculation actually reduces to particular normal form. This exactly corresponds 
to the situation in our problems. Additionally, the obtained proofs shed more 
light on the nature of /3-reduction which is essential for the final solution of the 
higher-order matching problem. 

Related researeh There is a similar problem of /3-equivalence. It was studied 
in [Sta79] and non-elementary bound on the complexity of the problem was 
found. The problem was also discussed in [Mai92] where an alternative proof 
of the result was described. Another similar problem of finding the length of a 
/3- reduction sequence for a term was studied in [Sch91]. The first attempt to 
analyse the complexity of /3-reduction was presented in [HK96] where a whole 
hierarchy of orders and complexities was discussed but for a slightly different 
problem in which restricted syntax is considered and some ^-rules are allowed. 

The content of the paper A reduction of evaluation of Boolean expressions to 
Ist-order /3-reduction is proved in Section 3 together with a 0(n log n) algorithm 
for the reduction, PTIME-completeness for 2nd-order /3-reduction is proved in 
Section 4 and PSPACE-completeness for 3rd-order /3-reduction is proved in Sec- 
tion 5. 

* This work was partly supported by KBN grant no 8 TllC 035 14. 

S. Abramsky (Ed.): TLCA 2001, LNCS 2044, pp. 400-414, 2001. 

Springer- Verlag Berlin Heidelberg 2001 
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2 Basic notions 

We deal with the simply typed A-calculus denoted by as in [Bar92], The 
results obtained match both Curry and Church-style version of the calculus. We 
study the /?- reduction relation here. One step reduction is denoted by The 
transitive-reflexive closure of the relation is denoted by — The /3- normal form 
of a term M is denoted by NF(M). The relation of a-equivalence is denoted by 
=Q. We also use the notion of a context which is usually denoted by C[-\ and it is 
a term with a single hole that may be filled in by a term of a suitable type. The 
operation of ‘hlling in’ does not perform any variable renaming. The context in 
which its hole is filled in with the term M is denoted by C\M\. 

The notion of order is defined as: ord(a) = 0 for a atomic and ord((Ti — > 
(T 2 ) = max(ord((Ti) -I- l,ord(cr 2 ))- 

In the Church-style calculus, the order of the redex {\x.M)N in the term 
P = C'[(Aa;.M)A^] is the order of the type of Xx.M assigned in the derivation 
of the type of P. In the Curry-style calculus, the order of such a redex is the 
minimum of orders assigned to types of Xx.M in type derivations for P. 

As far as the Curry-style definition is concerned then there occurs a question 
whether there is a uniform derivation of a type for P in which all redexes have 
minimal orders. The answer is ‘there is’. The derivation for principal type of P 
has this property. 

The general formulation of the problem we deal with will follow 

Problem 1. Input: A A.^ term Mi with redexes of order at most n and a normal 
form A_ term M 2 . Question: Does Mi /3- reduce to M 2 ? 

We consider the problem for n = 2,3, 4. Note, that we assume that the input is 
already a term in A_+ and has redexes of suitable order. We do not make any 
checks that the input values are correct in presented algorithms. These checks 
require at least essentially polynomial time algorithm which majorises bounds 
on the resources needed in some constructions presented in the paper. In fact, 
all presented reductions and algorithms may be performed for both Curry and 
Church terms. 

3 The order 1 

3.1 First-order ^-reduction is in 0(n log n) 

The first-order reduction can be performed in 0(n log n) time. Our algorithm 
uses the notion of graph reduction. We assume here that the reader is familiar 
with this notion. The recommended readings about graph reduction include: 
[Lam90,AL93] and [AG98]. Due to limited room, we do not present definitions 
pertinent to optimal reductions algorithms. We use the presentation included in 
the latter paper. For the sake of clarity we use the version of graph reduction in 
which fan-nodes have more than 2 auxiliary ports. This approach can easily be 
translated into the one with 2-port fan-nodes without affecting the complexity. 
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Definition 1 (algorithm for 1st order /3-reduction) 

Let Ml and M 2 be the input for the algorithm (we assume here w.l.o.g. that 
these terms are closed). The algorithm reduce_lst is described as follows. We 
need an additional stack S and a counter i. Some nodes of the graph will be 
marked during the reduction. We proceed as follows: 

1. Translate Mi into its graph of reduction, initiate S to the empty stack. 

2. Walk through the starting A-nodes without any change. 

3. Initiate i to 0. 

4. Go through @-nodes incrementing i at each one and taking their left branch 
until you meet a fan-node, an auxiliary port of a A-node, a marked node or 
a principal port of a A-node. 

(a) if it is a fan-node, an auxiliary port of a A-node or a marked node then 
check if S is empty if it is go to the point (5) if it is not, pop the value 
of i from S, then pop a node A from the stack, and perform the /3-redex 
above the node A marking the topmost node of the argument of the 
redex; finally, go to the point 4; 

(b) if it is a principal port of a A-node and i > 0 then decrement i, push 
the A-node on S, push i, step to the right branch of the last @-node and 
begin the whole procedure from the point (3); 

(c) if it is a principal port of a A-node and i = 0 then go through the A-node 
without any change and step to the point 4. 

5. Perform the read-back of the graph; the resulting term is M3. 

6. Check the a-equivalence of M3 and M2. 

Theorem 1. Let Mi have redexes of order at most 1 and M 2 he in normal form. 
The algorithm reduce_lst results in success on these terms iff Mi — M2. 
Moreover, reduce_lst needs only 0(n log n) time to run. 

Proof. The algorithm is correct as it is only a strategy in an optimal reduction 
algorithm. 

Let us analyse the complexity of the algorithm. Let n be the size of the input 
for reduce_lst. 

The translation of the term to the graph can be performed in 0(n) time 
using usual syntax analysis methods. The rest of the algorithm visits each node 
at most 2 times and the number of steps performed for each node is bounded by 
a constant except for the time needed to store i and a node on the stack. The 
last operation takes O(logn) time because of the length of the counter and the 
pointer to the node. This altogether gives 0(n log n) time. 

3.2 Boolean expressions reduce to first-order /3-reduction 

Boolean expression is an expression that is built of the connectives A, V and 
values true and false. An example is (true A false) V true. We can associate 
with each expression of this kind its value which is generated according to the 
truth tables of logical connectives A and V. The problem of evaluation of Boolean 
expressions is: 
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Definition 2 (evaluation of Boolean expressions) 

Input: A Boolean expression E. 

Question: Is true the value of El 

The problem is in ALOGTIME (see [Bus87]). In order to relate the 1st order sit- 
uation to 2nd and 3rd orders we present a first-order (i.e. in first-order logic) re- 
duction of the problem to the first-order /3-reduction problem. This presentation 
is only for the sake of completeness with the rest of the paper where some vari- 
ations of Boolean formulas are dealt with. In fact, we only relate /3-reduction to 
the evaluation of expressions which itself has no proof of ALOGTIME-hardness. 
A helpful definition of logical values is 

Definition 3 (Boolean values) 

We define terms corresponding to Boolean values as TRUE = XxiX 2 -Xi and 
FALSE = Xx\X2-X2- 

The translation from Boolean expressions is: 

Definition 4 (translation from Boolean expressions to A_*) 

The translation from Boolean expressions to has as an input a Boolean 
expression E and results in two terms M\ and M 2 - We put M\ — E2L(i3) and 
M 2 = TRUE. The function E2L is defined by induction on the form of the 
Boolean expression (we may assume w.l.o.g. that the expressions do not contain 
negation) : 

E2L((Ei A E 2 )) = Xxy.{^2h{Ei)){{E2L{E2))xy)y, E2L(true) = TRUE; 
E2L((Ai V E 2 )) = Xxy\Kih{Ei))x{{E2L{E2))xy)-, E2L(false) = FALSE. 

Theorem 2. Let E be a Boolean expression. E has the result true iff the term 
E2L{E) reduces to TRUE. 

Moreover, the term E2L{E) has redexes of order at most 1. 

Proof. The main claim is obtained by a routine induction on the expression E. 

The only redexes in the term occur during the translation in cases for A and 
V. By induction on E, we can show that E2L(A) is of the type a — > a ^ a so 
these redexes are of order 1. 

Theorem 3. The term E2L(E) may be represented by a first-order formula over 
the signature of Boolean expressions. 

Proof. The formula that constitutes the universe has 5 variables x±, ... ,x^. The 
first one is used to determine which operator is encoded the rest is used to encode 
the Boolean representation of nodes needed to represent a Boolean connective. 
The first lambda node is encoded as 0000, then x as 0001, the second A node 
as 0010 and so on. The edge relation (in a A) term is defined so that the first 
coordinate is constant and the other coordinates represent suitable bits as in the 
above-mentioned encoding. Details are left for the reader. 
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4 The order 2 

4.1 Second-order /3-reduction is in PTIME 

The second-order reduction can be performed in polynomial time. Our algorithm 
uses again the notion of graph reduction. 

Let us see what is the graph reduction look like in this case. The starting 
point for this reduction is shown in Figure 1(a). The figure presents a /3-redex 
located in a term (the omission of a part of the context of the redex is denoted by 
the dotted line) . The star marked by Go symbolizes the body of the A-abstraction 
that takes part in /3-reduction. The circle marked by Gi symbolizes the body of 
the argument that takes part in /3-reduction. For the sake of clarity we denote a 
set of fan-nodes by a single fan with many entry ports. 



A 



(b) 



(a) 

Fig. 1. (a) The starting point for 2nd-order //-reduction, (b) The result of the first 
phase of //-reduction 

The result of the first /3- reduction step is shown in Figure 1(b). As we see the 
argument Gi goes into several places of the subterm Go- Since we use a fan-node 
the argument is not copied. This kind of reduction is performed during the hrst 
phase of our algorithm. Note that the performing of some /3-redexes may intro- 
duce other ones. There are two ways in which this redex may occur: the one as in 
the term (Aa:i.(Aa; 2 .M))A^iAi 2 or the other as in the term (Aa;i.C'[a;iM])(Aa: 2 .A'). 
We conduct our reduction in such a way that redexes of the hrst kind are con- 
tracted in this phase whereas the redexes of the second kind are not. We achieve 
this behaviour later in dehnitions by marking the edge outgoing from Gi (see the 
point 2 in Dehnition 5). Note that this does not force us to reduce some redexes 
but these redexes are certainly of order 1. We repeat this kind of reduction until 
there are no redexes. The result of the process is a term that has no 2nd-order 
redexes. 

Although there are no explicit redexes (except for the marked ones), we 
have some redexes hidden behind fan-nodes. We can extract these redexes as 
in Figure 2(a) and then contract them to the form presented in Figure 2(b). 
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This process should be repeated until there are no A-nodes behind fan-nodes (in 
other words, until there are no paths which enter a fan-node and then after some 
number of brackets and croissants immediately enter a A- node) . 




Fig. 2. (a) The A-nodes are extracted from the fan-nodes, (b) After the first-order 
reduction 

Definition 5 (the algorithm for 2 nd order) 

Let Ml and M 2 be the input data for the algorithm. The algorithm reduce_ 2 nd 
proceeds performing the following steps: 

1. Translate the term M\ into the corresponding graph. 

2. Perform one by one all existing /3-reductions (after performing a reduction 
step mark the edge that goes from the argument; in future reductions in this 
phase, omit redexes with such edges going out of A-nodes). 

3. Push all A-nodes through fans. 

4. Perform one by one all existing /3-reductions and if necessary go to Point 3. 

5. Reduce all matching fan-nodes so that they disappear. 

6 . Perform the read-back of the resulting graph; if the result is larger than the 
term M 2 : fail. Let M 3 be the result of the read-back. 

7. If M 2 =a M 3 then success otherwise failure. 

For the sake of clarity, we omit reductions for brackets and croissants in the 
description assuming that they are performed implicitly, resulting in the disap- 
pearance of nodes that occur at principal ports of fan-nodes, A-nodes or @-nodes. 

Theorem 4. If reduce_ 2 nd stops with success then NF(Mi) =q, M 2 . If the 
algorithm reduce_ 2 nd fails then NF(Mi) M 2 . 
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Proof. The correctness of reduce_2nd is implied by the correctness of the graph 
reduction. The only thing to be proved is that before entering Point (6) in 
Definition 5, we obtain a graph that has no /3-redexes in any reduction sequence 
so that the read-back gives the normal form. 

We prove the last claim in two steps: First, we prove that after performing 
the step (2) there will be no 2nd-order redexes. Then we prove that after per- 
forming the steps (3-4) there will be no Ist-order redexes. These are proved by 
contradiction. Details are left for the reader. 

In order to analyse the complexity of the algorithm reduce_2nd, we have 
to introduce the notion of mixed bracket property. This notion formalises and 
generalises the property of the old-fashioned arithmetical notation in which dif- 
ferent kinds of parenthesis are used as in the expression: [(2 -f 3) • 5 -f 6] • 11. This 
property says that a parenthesis of A kind may be closed only if each parenthesis 
of any other kind B that is opened after the parenthesis of kind A is closed. For 
example, if we open [ and then ( then in order to put ] we have to put ) first. 

Definition 6 (the mixed parenthesis property) 

We say that a path p has the mixed parenthesis property iff for any fan-nodes 
A and B A p enters a fan-node A at an auxiliary port ol and afterword a fan- 
node B at an auxiliary port /3 then it must exit the auxiliary port /? of a node 
corresponding to B before it exits the auxiliary port a of a node corresponding 
to A. 

Fact 1 During the reductions performed in reduce_2nd all paths have mixed 
parenthesis property. 

Proof. The proof is by induction on the number of steps of reduction during the 
algorithm reduce_2nd. Details are left for the reader. 

Theorem 5. The procedure reduce_2nd runs in 0(n^) time. 

Proof. Let n = |Mi| -I- \M 2 \. Most of the points have easily verified linear time 
complexity. Point (6) needs 0{n^) steps since the mixed parenthesis property 
(Fact 1) ensures that there are no two fan-nodes that meet with principal ports. 
If the matching fan- nodes exist then they are reduced in Point (5), if there are 
two non-matching fan-nodes then they break the mixed parenthesis property. 
As there are no fan-nodes that meet with principal ports, each path that exits 
a principal port of a fan-node and then after some, possibly non-zero, number 
of other (non-bracket and non-croissant) nodes enters a principal port of a fan- 
node must go through either @-node or A-node. This ensures that such a node 
is visited once at least after visiting all fan-nodes. At last (7) can be performed 
in 0(n) time since M 2 is a part of input and a conversion can be performed in 
0{m) where m is the size of terms to be checked. This altogether gives the time 
0(n^). 
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4.2 Second-order /3-reduction is PTIME-hard 

The problem of the evaluation of Boolean circuits is reduced to the problem 
of /3-reduction in second-order in this section. The reduction is in LOGSPACE. 
This implies that second-order /3-reduction is PTIME-hard. 

Definition 7 (Boolean circuit) 

A Boolean circuit is a directed acyclic graph such that: 

— its nodes are labeled with V,A,-i,true, or false and a single node labeled 
with result; 

— nodes labeled with V and A have two outgoing edges; 

— nodes labeled with ^ and result have a single outgoing edge; 

— nodes labeled with true and false have no outgoing edges. 

The result of a Boolean circuit can be defined recursively in an obvious way e.g. 
the value of a V-node is V\ V V 2 where Vi is the value of the node at the end of 
the first outgoing edge and V 2 is the value of the node at the end of the second 
outgoing edge, the value of result is v where v is the value of the node at the 
end of the outgoing edge. 

Definition 8 (the problem of evaluation of a Boolean circuit) 

The problem of the evaluation of a Boolean circuit is: 

Input: A Boolean circuit C 

Question: Does the circuit have the result true? 

The above-mentioned problem is PTIME-hard (see Theorem 8.1 in [Pap95]). 

We define level of a node in a Boolean circuit. This notion helps use define 
the reduction. 

Definition 9 (level of a node) 

In a Boolean circuit C, the node result has the level 0. A node n has the level I 
if I — max{/i , . . . ,lk} + I where {/i, . . . , Ik} is the set of levels for nodes n' such 
that (n',n) is an edge in C. 

We denote by C„ the set of nodes of the level n. 

As Boolean circuits use logical connectives V, A and -i, we should define their 
counterparts in A-calculus. We also define logical values and quantifiers which 
are needed later. 

Definition 10 (connectives for translations) 

TRUE = \xiX2-Xi V = A(/>a;ia:2.AND((/)TRUExia:2)(</>FALSExia:2) 

FALSE = Aa;ia;2.a:2 3 = A(/a;ia:2.0R(</>TRUEa;ia:2)(</>FALSExia:2) 

AND = Xbib2XiX2-bi{b2XiX2)x2 NOT = \bixiX2-biX2Xi 
OR = Xbib2XiX2-bixi{b2XiX2) 

Definition 11 (reduction from Boolean circuits) 

This reduction is recursively defined on the level of nodes. We introduce variables 
{xl I 1 < i < kjj} where kj is the number of nodes on the level j. 
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— The term LEVEL_i is defined as a^resuit- 

— The term LEVEL„+i is defined on the basis of the term LEVEL„ as 

(Ax”+i . . . XEVEL„)Bi . . . 



where 

• Bi = ANDxj.a;^, if the i-th node on the level n + 1 is A and one of its 

outgoing edges leads to k-th node on the Ath level and the other to fc'-th 

node on the Z'-th level; 

• Bi = if the Tth node on the level n + 1 is V and one of its 

outgoing edges leads to k-th node on the Z-th level and the other to Zc'-th 
node on the Z'-th level; 

• Bi = NOTa;^ if the i-th node on the level n + 1 is ^ and its outgoing 
edge leads to fc-th node on the Z-th level; 

• Bi = TRUE if the Z-th node on the level n -I- 1 is true; 

• Bi = FALSE if the Z-th node on the level n -|- 1 is false. 

• Bi = FALSE if the Z-th node on the level n -1- 1 is false. 

(Note that LEVELq = where A is either TRUE or 

FALSE.) 

Theorem 6. Let G be a Boolean eircuit and n its maximum level of nodes. G 
has the result true iff the term LEVEL„ reduces to TRUE. 

Moreover, the term LEVEL„ has redexes of order at most 2. 

Proof. The proof is by induction on the maximal level of the graph G. The induc- 
tion step consists in suitable reduction of the highest level so that it disappears 
and the number of levels is decreased. 

Theorem 7. The term LEVEL„ may be generated with use of additional spaee 
of .size 0(log |G|). 

Proof. W.l.o.g. we may assume that Boolean circuits have assigned to each node 
its level. This allows us to use a counter that says on which level we are. This 
is enough to identify where should be placed appropriate variables and terms 
AND, OR, NOT, TRUE and FALSE. Such a counter needs O(logn) space. An- 
other counter is needed for names of variables, but O(logn) is sufficient here too. 
Details are left for the reader. 

5 The order 3 

5.1 Third-order /3-reduction is in PSPACE 

The third-order reduction can be performed in polynomial space. Our algorithm, 
similarly to the second-order case, uses the notion of graph reduction. 

Let us see how does the process of graph reduction look like in this case. 
The starting point of such a reduction may look like in Figure 3(a). The figure 
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Fig. 3. (a) The starting point for 3rd-order /3-reduction, (b) The result of the first 
phase of /3-reduction 

presents a /3-redex in a A-term. The star marked by Go denotes the body of the A- 
abstraction that takes part in /3-reduction. The circle marked by Gi denotes the 
body of the argument that takes part in /3-reduction. The dotted lines represent 
parts of the term that are missing in the picture. 

The result of the first /3-reduction step is shown in Figure 3(b). As we see, 
the argument Gi goes into several places of the subterm Gq as in the 2nd-order 
case. This kind of reduction is performed during the first phase of our algorithm. 
Again, the process of reduction may introduce other ones. Again, we perform 
only some of the new redexes similarly to the 2nd-order case. We repeat this 
kind of reduction until there are no redexes. The result of the process is a term 
that has no 3rd-order redexes. 

Although there are no explicit redexes (except for the marked ones) we have 
some redexes hidden behind fan-nodes. We can extract these redexes as in Fig- 
ure 4(a) and then contract them with @-nodes that come from Gq as depicted in 
Figure 4(b). This process should be repeated until there are no A-nodes behind 
fan-nodes (in other words, until there are no paths which enter a fan-node and 
then after some number of brackets and croissants immediately enter a A- node) . 

The result of such reduction is depicted in Figure 5(a). We have two fan-nodes 
surrounding G[ — the upper one because the term occurs in several places and 
the lower one because different terms are substituted for a variable depending on 
which place is taken into account. This ends the second phase of the reduction 
(the reduction of 2nd-order redexes). 

The last phase of the reduction begins — the reduction of Ist-order redexes. 
These redexes occur as in Figure 5(b) and begin to interact with the graph G). 
As the Ist-order variable that took part in the 2nd-order reduction (the lambdas 
of which were multiplied in Figure 4(a)) can occur in several places inside G), 
several @-nodes will take part in the reduction of Ist-order redexes. We can see 
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Fig. 4. (a) The A-nodes are extracted from fan-nodes, (b) The A-nodes meet suitable 
©-nodes 

these @-nodes in Figure 6(a). As this multiplication concerns only one variable, 
we have a fan-node that performs this operation — also visible in Figure 6(a). 

The fan-nodes that meet begin to interact. The result of the interaction is 
depicted in Figure 6(b) where it is denoted by the letter F. When we zoom 
the area denoted by F we will see a complicated web of links which is shown 
in Figure 7. The next step to perform is to push @-nodes through fan-nodes. 
The result of performing this step is partially shown in Figure 8(a). Each upper 
fan-node gets multiplied as it must go into two edges outgoing from each @- 
node. The next phase is to push A-nodes through fan-nodes and perform j3- 
redexes. The result of these operations is depicted in Figure 8(b). The left, 
big fan-node indicates that the body of the applied function goes into the place 
where application was situated previously. The right, big fan-node indicates that 
arguments of the application are placed in variables. 

Definition 12 (the algorithm for 3rd order) 

Let Ml and M 2 be the input data for the algorithm. The algorithm reduce_3rd 
proceeds as follows: 

1. Translate the term M\ into the corresponding graph. 

2. Perform one by one all existing /3-reductions (after performing a reduction 
step mark the edge that goes from the argument; in future reductions within 
this phase, omit redexes with such an edge going out of a A- node). 

3. Clear all markings. 

4. Push all fans through A-nodes. 

5. Perform one by one all existing /3-reductions (again with marking). 




The Complexity of 6-Reduction in Low Orders 



411 




Fig. 5. (a) The result of the second phase of reduction, (b) First-order A-nodes begin 
to reduce 



6. Perform all interactions between fans and afterword push all fans through 
A- and ©-nodes. 

7. Perform one by one all existing /3-reductions. 

8. Perform the read-back of the resulting graph; if the result is larger than the 
term M 2 to be equated: fail. Let M3 be the result of the read-back. 

9. If M 2 =a M3 then success otherwise failure. 



In order to precisely describe the complexity we need a special notion called 
the level of a redex. 

Definition 13 (level of a redex) 

Let us define a special kind of reduction in which {Xx.M)N — >^/ M[x := iV*] 
where N* is the term N with a special marking (the marking should be under- 
stood as a new kind of language symbol similar to the application or abstraction, 
i.e. the marking is applied locally not throughout the whole term N and thus is 
not visible in redexes inside N). Note that we forbid the reduction {\x.M)*N —>,3 
M\x := N*]. Of course, all reductions performed in this framework may be per- 
formed as the usual /3-reduction. Thus paths of /3'-reduction may be treated as 
paths of /3- reduction. On the other hand, each path of /3-reduction Mi, . . . , M„ 
may be presented as Mi, . . . , M^^ , M^^+i, . . . , M^^, . . . , Mi^_^+i, . . . , M^^ where 
redexes between terms Mi.+i, . . . , can be performed using /3'-reduction 

and Mi^^j+i is a /3'-normal form. The /3-redexes in j-th such section are called 
redexes of the level j. 

It is easily verified that each reduction of a term with redexes with order at 
most n has redexes of order at most n — 2. If n is the highest order of the redex 
in a term then redexes of the order n are reduced during the 0-level section, 
the redexes of the level n — 1 are reduced during the 1-level section and so on. 
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Fig. 6. (a) Multiple occurrences of Ist-order variables with surrounding @-nodes. (b) 
Fan-nodes interact 




Fig. 7. The interaction of fan-nodes 

Also the notion of the level of a redex straightforwardly translates to graph 
reduction. The algorithm for 3rd-order reduction needs redexes of order at most 
1. The redexes of the level 0 are reduced in the step (2) of the algorithm, the 
redexes of the level 1 are reduced in the step (5) of the algorithm and at last 
redexes of the level 2 are reduced in the step (7) of the algorithm. 

Theorem 8. Let Mi have redexes of order at most 3 and M 2 he in normal form. 
The algorithm reduce_3rd results in success on these terms iff Mi — M 2 . 
Moreover, reduce_3rd needs only 0{r?) space to run. 

Proof. The algorithm is correct as it is only a strategy in an optimal reduction 
algorithm. 

The analysis of the complexity of the algorithm is quite routine. Here are the 
most difficult cases: 

Point (4) requires the multiplication of A-nodes and fan-nodes. This multi- 
plication is performed as in Figure 4(a) and so the number of new A-nodes is 
bounded by fci • ^2 where ki is the number of variables that take part in the 
step (2) of the algorithm and ^2 is the number of variables that are in the ar- 
guments of the former variables in the input. This gives the 0{r?) space. The 
fan-nodes are replicated only 0{n) times as the number of variables that take 
part in the step (2) majorises the number of replications. The last number is of 
O(n^) magnitude. 
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Fig. 8. (a) One application goes between fan-nodes, (b) After pushing A-nodes through 
fans, applications are reduced 

Point (7) is a usual walk through the graph in hand. As the size of the graph 
is 0{v?), the time and thus the space is 0{r?). 

This altogether gives 0{v?) space. 



5.2 Third-order /3-reduction is PSPACE-hard 

We relay here on quantified Boolean formulae problem (QBF). Which consists in 
deciding whether a given formula with quantified Boolean variables is true. This 
problem in known to be PSPACE-complete. We present a PTIME reduction of 
the QBF problem to the 3rd-order reduction problem. 

The translation is dehned as follows 

Definition 14 (translation from QBF to A^) 

The translation from QBF to A^ has as an input a QBF sentence and as 
a result two terms M\ and M 2 . We put M\ = Q2L{fi) and M 2 = TRUE. The 
function Q2L is dehned by induction on the form of the QBF formula: 

Q2L(true) = TRUE; Q2L(false) = FALSE; 

Q2L(a;) = x where a; is a variable; Q2L(-k/)) = NOT(Q2L((/>)); 

Q2L(</>i A </>2) = AND(Q2 L((/>i))(Q 2L(</)2)); Q2L(flii V </>2) = OR(Q2 L((/>i))(Q 2L(</>2)); 
Q2L(Va:.(/>) = V(Ax.Q2L((/>)) Q2Lpa:.(/>) = 3(Ar.Q2L(</))) 

Theorem 9. A QBF sentence is true iff the term Q2L(^) reduces to TRUE. 
Moreover, the term Q2L{(j)) has redexes of order at most 3. 

Proof. We need a little bit extended version of the claim: 

Let (/) be a QBF formula with free variables in A — {xi, . . . ,x„}. The 
formula is true under the valuation v \ A {true, false} iff the term 
:= Q2L(u(a;i )), . . . ,Xn := Q2L(u(a;„))] reduces to TRUE. 
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The proof is by straightforward induction on the structure of <f> and is left for 
the reader. 

The redexes in the result of translation occur in subterms beginning with 
AND, OR, NOT, V, 3. The type for AND, OR and NOT is of order 2. These terms 
take as arguments values of the type a — > a ^ a (which is the type of Boolean 
terms TRUE and FALSE). The type for V and 3 is more complicated and is of 
order 3. These terms take an argument of the type {a ^ a ^ a) ^ a ^ a ^ a. 
No other terms occur in redex positions in translated terms. 

We have also by routine analysis: 

Theorem 10. The translation from QBF to can he performed in 0(n log n) 
time. 
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Abstract. In this paper we introduce a cut-elimination procedure 
for classical logic, which is both strongly normalising and consisting 
of local proof transformations. Traditional cut-elimination procedures, 
including the one by Gentzen, are formulated so that they only rewrite 
neighbouring inference rules; that is they use local proof transforma- 
tions. Unfortunately, such local proof transformation, if defined naively, 
break the strong normalisation property. Inspired by work of Bloo and 
Geuvers concerning the Ax-calculus, we shall show that a simple trick 
allows us to preserve this property in our cut-elimination procedure. 
We shall establish this property using the recursive path ordering by 
Dershowitz. 

Keywords. Gut-Elimination, Glassical Logic, Explicit Substitution, 
Recursive Path Ordering. 



1 Introduction 

Gentzen showed in his seminal paper 0 that all cuts can be eliminated from 
sequent proofs in LK and LJ. He not only proved that cuts can be eliminated, 
but also gave a simple procedure for doing so. This procedure consists of proof 
transformations, or cut-reductions, that do not eliminate all cuts from a proof 
immediately, but rather replace every instance of a cut with simpler cuts, and 
by iteration one eventually ends up with a cut-free proof. We refer to a proof 
transformation as being local, or Gentzen-like, if it only rewrites neighbouring 
inference rules, possibly by duplicating a subderivation. Most of the traditional 
cut-elimination procedures, including Gentzen’s original procedure, consist of 
such local proof transformations. 

In El and m three criteria for a cut-elimination procedure were introduced: 

1. the cut-elimination procedure should not restrict the collection of normal 
forms reachable from a given proof in such a way that “essential” normal 
forms are no longer reachable, 
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2. the cut-elimination procedure should be strongly normalising, i.e., all 
possible reduction strategies should terminate, and 

3. the cut-elimination procedure should allow cuts to pass over other cuts. 

Owing to space restrictions we cannot defend these criteria here and refer the 
reader to ITTIT^ where it is explained why they play an important role in inves- 
tigating the computational content of classical logic. 

The main purpose of this paper is to present a cut-elimination procedure that 
satisfies the three criteria and that consists of only Gentzen-like cut-reductions. 
At the time of writing, we are not aware of any other cut-elimination procedure 
fulfilling both demands. The problem with Gentzen-like cut-reductions is that 
they, if defined naively, break the strong normalisation property, as illustrated 
in the following example given in PE]. Gonsider the following LK-proof. 



A<-A At-A 
AmA'- A,A 
AvAi-A 



Vl 

Contri} 



At-A A<-A 
A,A^- AaA 



Ai- A^ A 



A\JA'-A^A 



Ah 

Contri, 

Cut 



( 1 ) 



Using Gentzen-like proof transformations there are two possibilities for permut- 
ing the cut upwards: it can either be permuted upwards in the left proof branch 
or in the right proof branch. In both cases a subproof has to be duplicated. 
Taking the former possibility, we obtain the proof 



Ai-A Ai-A 

AyA^A,A 



Vl 



Ai-A Ai-A 
A,A\-AaA 



A*-AaA 



Ar 

Gontri 



AvAi- A, AaA 



Gut 



Ai-A Ai-A 
A, A I- AaA 



A 



R 



A I- AaA 



Gontr L 



AvAi-AaA, AaA 
AvAi- A aA 



Gut 



Gontr/j 



where two copies of the right subproof are created. Now permute the upper cut 
to the right, which gives the following proof. 



Ai-A Ai-A 
AyA^ A,A 



Vi 



Ai-A Ai-A 
Ay A I- A, A 



Vl 



Ai-A Ai-A 
A, A I- AaA 



AvA, Ai-A, AaA 



Ay A, Ay A i- A, A, AaA 



Cut 



AvAi- A, A, AaA 
Ay A <- A, AaA 



Contr_L 

Contrn 



Ay Ai- AaA, AaA 
Ay A I- AaA 



Ar 

Cut 



Ai-A Ai-A 
A, A I- AaA 
A I- AaA 



Ar 

ContrL 



Cut 



Contrn 



This proof contains an instance of the reduction applied in the first step (compare 
the rule names in bold face). Even worse, it is bigger than the proof with which 
we started, and so in effect we can construct infinite reduction sequences. 

Another problem with Gentzen-like cut-reductions arises from the third crite- 
rion. If one introduces the following reduction rule, which allows a cut (Suffix 2) 
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to pass over another cut (Sufhx 1) 



' ' Cutl ^ ' Cut 2 ^ 

— — j:: — ^ Cut2 > — — jz — ^ Cutl 

(2) 

then clearly one loses the strong normalisation property — the reduct is again an in- 
stance of this rule, and one can loop by constantly applying this reduction. Thus a 
common restriction is to not allow a cut to pass over another cut in any circumstances. 
Unfortunately, this has several serious drawbacks, as noted in it limits, for ex- 

ample, in the intuitionistic case the correspondence between cut-elimination and beta- 
reduction. In particular, strong normalisation of beta-reduction cannot be inferred from 
strong normalisation of cut-elimination. Therefore we shall introduce cut-reductions 
that avoid the infinite reduction sequence illustrated in (QJ, but allow cuts to pass over 
other cuts without breaking the strong normalisation property. 

Because of the conflicting demands of being very liberal (e.g. allowing cuts to pass 
over other cuts) and at the same time preserving the strong normalisation property, 
such a cut-elimination procedure seems difficult to obtain. So rather surprisingly we 
found that if one adds to the usual cut-rule 



Ai-zli,C C,r2'-A2 
A, Tb k\i, Z\2 



Cut 



the following two, referred to as labelled cut-rules. 



rii-Ai,C C,r2'-A2 

A, A 4\i, z\2 



Cut 



Fi^Ai,C C,r2i-A2 

A, A 4ii, z\2 



Cut 



then one can define a cut-elimination procedure that satisfies the three criteria and 
that only consists of Gentzen-like cut-reductions. 

Reconsider the proof given in m- There the infinite reduction sequence could be 
constructed by permuting cuts into alternating directions. Clearly, this reduction se- 
quence can be avoided if commuting cuts have to be permuted into only one direction. 
(A cut is said to be a logieal cut when both cut-formulae are introduced by axioms or 
logical inference rules; otherwise the cut is said to be a commuting cut.) Furthermore, 
instead of the cut-reduction shown in 0, we can introduce the following cut-reduction 




I- 



Cut 




Cut 



which allows cuts to pass over other cuts, but which does not break the strong normal- 
isation property — the reduction cannot be applied to the reduct. 

Although the “trick” with the labelled cuts seems to be trivial, the corresponding 
strong normalisation proof is rather non-trivial (mainly because we allow cuts to pass 
over other cuts). To prove this property, we shall make use of a technique developed 
in PJ. This technique appeals to the recursive path ordering theorem by Dershowitz. 
Our proof is more difficult than the one given in 0 , which also appeals to the recursive 
path ordering theorem, because we allow, as mentioned above, cuts to pass over other 
cuts. To be able to present our proof in a manageable form, we found it extremely 
useful to annotate sequent proofs with terms. In consequence, our contexts are sets of 
(lab el, formula) pairs, as in type theory, and not multisets, as in LK or LJ. 
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The paper is organised as follows. In Section |21our sequent calculus and the corre- 
sponding term annotations will be given. To save space, we shall restrict our attention 
in this paper to the A-fragment of classical logic, but it should be emphasised that the 
strong normalisation result for cut-elimination may be obtained for all connectives by 
a simple adaptation of the proof we shall give. The cut-elimination procedure will be 
defined in Section 0 A comparison with the Ax-calculus will be given in Section ^ In 
Section 0 we shall describe the proof of strong normalisation, and conclude and give 
suggestions for further work in Section ^ 

2 Sequent Calculus, Terms, and Typing Judgements 

In this section we shall introduce our sequent calculus for classical logic. As mentioned 
earlier, we shall restrict our attention to the A-fragment. Thus the formulae are given 
by the grammar 



in which A ranges over propositional symbols. 

Our sequents contain two contexts — an antecedent and a succedent — both of which 
are sets of (label, formula) pairs. As we shall see, the use of sets allows us to define 
the sequent calculus so that the structural rules, i.e., weakening and contraction, are 
completely implicit in the form of the logical inference rules. Since there are two sorts of 
contexts, it will be convenient to separate the labels into names and co-names-, in what 
follows a, b, c, ... will stand for co-names and similarly . . . , x, y, z for names. Thus, 
antecedents are built up by (name, formula) pairs and succedents by (co-name, formula) 
pairs. We shall employ some shorthand notation for contexts: rather than writing, for 
example, {{x, B), (y, C), {z, H)}, we shall simply write x B,y : C, z : D. 

Whereas in LK the sequents consists of an antecedent and succedent only, in our 
sequent calculus the sequents have another component: a term. Terms encode the 
structure of sequent proofs and thus allow us to define a complete cut-elimination 
procedure as a term rewriting system. The set of raw terms, Ka, is defined by the 
grammar 



where x, y are taken from a set of names and a, b, c from a set of co-names; B 
and C are types (formulae). In a term we use round brackets to signify that a name 
becomes bound and angle brackets that a co-name becomes bound. In what follows 
we shall often omit the types on the bindings for brevity, regard terms as equal up 
to alpha-conversions and adopt a Barendregt-style convention for the names and co- 
names. These conventions are standard in term rewriting. Notice however that names 
and co-names are not the same notions as a variable in the lambda-calculus: whilst a 
term can be substituted for a variable, a name or a co-name can only be “renamed” . 
Rewriting a name a: to j/ in a term M is written as M[xi-^y], and similarly rewriting 
a co-name a to 6 is written as M[ai-^b]. The routine formalisation of these rewriting 



B ::= A I BaB 



M, N Ax(x, a) 

I And B.{(a: B) M , ib: ON , c) 
I Andi{(x :B)M,y) 



Axiom 

And-R 

And-Li (i = l,2) 
Cut 

Cut with label ’ 
Cut with label 



I Cut{(a:B)M,(x:B)N) 
I Cui{(a:B)M, (x'.B)N) 
I Cut((a:B>M, (x:B)N) 
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operations is omitted. In our proof it will be useful to have the following notions: a 
term is said to be labelled provided its top-most term constructor is either Cut or Cut; 
otherwise the term is said to be unlabelled-, a term is said to be completely unlabelled 
provided all subterms are unlabelled. Other useful notions are as follows. 

• A term, M, introduces the name « or co-name c iff M is of the form 

fora: Ax(a,c), And^((a;)S', a) fore: Ax(a,c), And_R((a>S, (b>T, c) 

• A term, M, freshly introduces a name iff M introduces this name, but none of its 
proper subterms. In other words, the name must not be free in a proper subterm, 
just in the top-most term constructor. Similarly for co-names. 

We can now formally introduce sequents, or typing judgements. They are of the 
form r 0 M > A with F being an antecedent, M a term and A a succedent. Henceforth 
we shall be interested in only well-typed terms; this means those for which there are 
two contexts, F and A, such that F > M > A holds given the inference rules in Figure 
d We shall write Ta for the set of well-typed terms. 

Whilst the structural rules are implicit in our sequent calculus, i.e., the calculus 
has fewer inference rules, there are a number of subtleties concerning contexts. First, 
we assume the convention that a context is ill-formed, if it contains more than one 
occurrence of a name or co-name. For example the antecedent x-.B, x:C is not allowed. 
Hereafter, this will be referred to as the context convention, and it will be assumed 
that all inference rules respect this convention. 

Second, we have the following conventions for the commas in Figure d ^ comma 
in a conclusion stands for set union and a comma in a premise stands for disjoint 
set union. Consider for example the Ai^-rule. This rule introduces the (name, formula) 
pair y:BiAB2 in the conclusion, and consequently, i/ is a free name in And\{(x)M ,y). 
However, y can already be free in the subterm M, in which case y:BiAB2 belongs to 
F. We refer to this as an implicit contraction. Hence the antecedent of the conclusion 
of Ahi is of the form y.BiAB2 © F where © denotes set union. Clearly, if the term 
And]^{(x)M ,y) freshly introduces y, then this antecedent is of the form y:BiAB2 ® F 
where ® denotes disjoint set union. Note that x : Bi cannot be part of the conclusion: 
X becomes bound in the term. Thus the antecedent of the premise must be of the form 
x-.Bi ® F. 

There is one point worth mentioning in the cut-rules, because they are the only 
inference rules in our sequent calculus that do not share the contexts, but require 
that two contexts are joined on each side of the conclusion. Thus we take the cut-rule 
labelled with for example, to be of the form 

Fi > M > Ai 0 a:B x:B iSi F2 > N > A2 
Fi®F2>Cut{(a)M,(x)N)>Ai®A2 ’ 

In effect, this rule is only applicable, if it does not break the context convention, 
which can always be achieved by renaming some labels appropriately. Notice 
that we do not require that cut-rules have to be “fully” multiplicative: the Fi’s 
(respectively the Aj’s) can share some formulae. 

3 Cut-Reductions 

We are now ready to define our Gentzen-like cut-elimination procedure. For this 
we shall introduce four sorts of cut-reduction, each of which is assumed to be 
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x:B, r > Ax(x, a) > A, a:B 



Ax 



x:Bi,r>M 0 A 



/\Li 



r > M > A,a-.B 



r>N >A,b-.C 



y:BiAB2,r > And]^{(x)M , y) > A 
ri>M>Ai,a:B x\B,r2^N>A2 



r > And_B((a>M, ib)N, c) > A,c: BaC 






^ Fi > M 0 Ai,a-.B x\B,r2^N>A2 

Cut — ~ — — r"^77TTTTTT7! a 1 Cut 



A, ^2 > Cut((a>M, (x)N) > Ai, A2 A, A ^ Cut{(a)M, ix)N) > Ai, A2 

ri>M>Ai,a:B x:B,B 2 ^ N > A2 



A, A Cut(<a)M, (x)N) > Ai, A2 



Cut 



Fig. 1. Term assignment for sequent proofs in the A-fragment of classical logic. 



closed under context formation. This is a standard convention in term rewriting. 
The first sort of cut-reduction, written — deals with logical cuts. 

Logical Reductions: 

1. Cut(<6)Andfl((ai)Mi, (a2)M2, 5), (?/)And^((a:)iV, 2/)) — ^ Cut((oi)Mi, (a;)A^) 

if Andi{(<ai>Mi, <a2>M2,6) and And^((a;)A^, y) freshly introduce b and y 

2. Cut((a)M, ix)Ax{x, b)) — ^ M[ai-^b] 

if M freshly introduces a 

3. Cut(<a)Ax(?/, a), ix)M) — ^ M[x<-^y] 

if M freshly introduces x 

As can be seen, these cut-reductions are restricted so that they are applicable 
only if the immediate subterms of the cuts freshly introduce the names and co- 
names corresponding to the cut-formulae. Without this restriction bound names 
or bound co-names might become free during cut-elimination, as demonstrated 
in II 11121 . Note that in Reduction 2 (resp. 3) it is permitted that b (resp. y) is 
free in M. 

The next sort of cut-reduction applies to commuting cuts, that means to those 
where at least one immediate subterm of the cut does not freshly introduce the 
name or co-name of the cut-formula. 

Commuting Reductions: 

5. Cut{{a)M,(x)N) — ^ Cuf((a)M, (cc)iV) 

if M does not freshly introduce a and is unlabelled, or 

6. Cut(<a)M, {x)N) — ^ Cul(<a>M, ix)N) 

if N does not freshly introduce x and is unlabelled. 

A point to note is that Reductions 5 and 6 may be applicable at the same 
time. Take for example the term Cut(<a)Ax(x, b), {y)Ax{z, c)), which can reduce to 
either Cut((a)Ax(x, 6), (y)Ax(z, c)) or Cul{ia)Ax{x,b),iy)Ax{z,c )) — the choice to 
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which term it reduces is not specified. Therefore, our cut-elimination procedure 
is non-deterministic. 

Once a cut is “labelled” by Reduction 5 or 6, then cut-reductions written as 
— ^ apply (see Figure|2I). Each of them pushes labelled cuts inside the subterms 
until they reach a place where the cut-formula is introduced. However care needs 
to be taken when applying an —^-reduction to ensure that no name or co-name 
clash occurs. This can always be achieved by appropriate alpha-conversions, and 
we shall assume that these conversions are done implicitly. 

It is worthwhile to comment on the reductions — ^ and — We required 
in Reduction 5 (similarly in 6) that the term M is unlabelled, i.e., the top-most 
term constructor is not Cut or Cut. This restriction is to avoid certain reduction 
sequences. Suppose M and N are cut-free, and assume the term Cut(<a)M, ix)N) 
is a logical cut. Furthermore assume c is not free in this term. Then consider the 
reduction sequence 

Cut((c)Cut(<a)M, (x)N), (y)P) ^ > Cut((a>Cut(<c>M, (y)P), (x)C[R{{c)N, (y)P)) 

— ^ Cut(<a>Cut((c>M, (y)P), (x)Cui((c) N , (y)P)) 
~^+ Cut{(a)M,(x)N) 

where the logical cut has become labelled (—^-reduction), because another cut 
passed over it (first - > -reduction) . While this reduction is harmless with re- 
spect to strong normalisation (this cut becomes a logical cut again), it causes the 
strong normalisation proof to be much harder. To save space, we thus exclude re- 
duction sequences in which a logical cut becomes labelled, and the side-conditions 
in Reduction 5 and 6 are doing just that. 

Another point worth mentioning is that the first and second rule in Figure El 
(similarly the fourth and fifth) can be replaced with the reduction 

Cut((c>Ax(a:, c), (y)P) > P[yi-^x] (3) 

which is equally effective, in that all cut-rules are eliminable from a proof. How- 
ever, this reduction has subtle defect, as explained in [mr2|. Consider a term N 
in which x is not free and a term P in which b is not free. We would expect that 
from Cul;(<a>A^, (a;)Cut(<6)M, (?/)P)) and Cut{{b)C\^{{a)N ,{x)M),{y)P) the same 
collection of normal forms can be reached (the order of “independent” labelled 
cuts should not matter). Unfortunately, using the rule in (E| this does not hold. 
Therefore we have formulated the ^ > -reductions so that the the order of la- 
belled cuts — as long as they are “independent” — is irrelevant with respect to 
which normal forms are reachable. This is an important property for analysing 
the computational content of classical proofs 0. 

The last sort of cut-reduction, named garbage reduction, deals with labelled 
cuts whose name or co-name of the cut-formula is not free in the corresponding 
subterm. In LK this corresponds to a cut on a weakened formula. 

Garbage Reductions: 

7. Cut( (a)M, ix)N) > M if a is not a free co-name in M 

8. Cui{(a)M, ix)N) > N if a; is not a free name in N 
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Cut(<c>Ax(a;, c), ^ Cut{(c) Ax{x , c) , iy) P) 

Cui((b)Cut((a)M ,(x)Ax(x,b)),(y)P) — ^ Cut((a)C^((b)M ,(y)P),(y)P) 

Cut{ic) And R{(a)M,(b)N,c),(y)P) 

Cut(<c>Andfl((a>Cut(<c>M, (y)P), (6>Cut(<c>A^, (y)P), c), (y)P) 



Cut((c>P, (y)Ax{y, a)) 
Cui((b)P, (x)Cut((a)Ax(x, a), (y)M)) 
Cut((c>P, (y)And^((a:)M, y)) 



Cut((c>P, (y)Ax{y,a)) 

Cut{(b)P, (j/)Cut(<6>P, (x)M)) 

Cut(<c>P, (y)And^((a;)CLJt(<c)P, (y)M),y)) 



Cut((6>Ax(a;, a), (r/JP) 
Cut((6>Cut((a>M, (x)N), (y)P) 
Cut((a>And^((a:)M, t/), (z)P) 
Cirt(<d>And_R((a>M, (b)N, c), (y)P) 




Ax(a;, a) 

Cut((o>Cut((&>M, (y)P), (x)Cut((6>A^, (y)P)) 
And^((x)Cut(<a>M, (z)P), y) 



Andn{(a)Cut{{d)M , (y)P), (b)C^{id)N , (y)P), c) 



Cut((6>P, (y)Ax{x, a)) 
Cut((6>P, (j/)Cut((a>M, (x)N)) 
Cut((a>P, (z)And^((a:)M, y)) 
Cut(<d>P, (j/)Andi{(<a>M, (b)N,c)) 



Ax(a;, a) 

-2->- Cut(<a>Cut((&>P, (y)M), (a;)Cut((&>P, iy)N)) 
And^ ((a;)Cut( <a>P, (z)M),y) 

X ^ 

Andfi{ia)CiA{(d)P, (y)M), (fe>Cut((d>P, (y)N), c) 



Fig. 2. Cut-reductions for labelled cuts. 



We are now ready to define our Gentzen-like cut-elimination procedure. Since 
we annotated terms to our sequent proofs, we can define it as a term rewriting 
system. 

Definition 1 (Gentzen-like Cut-Elimination Procedure). The Gentzen- 
like cut-elimination procedure is the term rewriting system (T^, ^°°> ) where: 

• Ta is the set of terms well-typed by the rules shown in Figure [□ and 

• consists of the reduction rules for logical, commuting and labelled cuts 
as well as the garbage reductions; that is 

J2£L^ U ^ U ^ U . 

Notice that by assumption all reductions are closed under context formation. The 
completeness of ■ °'^> is simply the fact that every term beginning with a cut 
matches at least one left-hand side of the reduction rules. So each irreducible 
term is cut-free. We shall however omit a proof of this fact. The theorem for 
which we are going to give a proof for is as follows, but we delay the proof until 
Section 0 

Theorem 1. For all terms in Ta the reduction is strongly normalising. 

As said earlier, this theorem can be generalised to include all connectives, and 
our proof can be easily adapted to the more general case. 
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4 Comparison with Explicit Substitution Calculi 

There is a close correspondence between our cut-elimination procedure and ex- 
plicit substitution calculi, as we shall illustrate in this section. 

Explicit substitution calculi have been developed to internalise the substi- 
tution operation — a meta-level operation on lambda-terms — arising from beta- 
reductions. For example in Ax [nij, the beta-reduction {\x.M)N — ^ M[x := N] 
is replaced by the reduction {Xx.M)N — ^ M{x := N) where the reduct con- 
tains a new syntactic constructor. The following reduction rules apply to this 
constructor. 

y{x := P) — ^ P if X = y otherwise y 
{\y.M){x := P) Xy. M{x := P) 

{MN){x ■- P) M{x ■- P) N{x ~ P) 

Similarly, our labelled cuts internalise a proof substitution introduced in PH 
E]- This substitution operation is written as M{a := ix)N} and N{x := ia)M} 
where M and N belong to TU/^ that is defined as the set of terms well-typed 
by the typing rules given in Figure Q excluding the rules for labelled cuts. Thus 
TUa consists of well-typed but completely unlabelled terms, and clearly, we have 
TUa C Ta . In terms of the reductions given above the proof substitution can be 
defined as the juxtaposition of a —^-reduction and a series of —^-reductions, 
which need to be applied until no further —^-reduction is applicable (later we 
shall refer to such a term as a;-normal form). Here we omit an inductive defini- 
tion of the proof substitution, which can be found in jl 1112) . Using this proof 
substitution we can reformulate the reduction for commuting cuts as follows. 

5’. Cut((a)M, ix)N) — ^ M{a := ix)N} if M does not freshly introduce a, or 

6’. Cut((a)M, ix)N) — ^ N{x := {a)M} if N does not freshly introduce x. 

This leads to the following cut-elimination procedure, which satisfies the three 
criteria given in the introduction, but which is not Gentzen-like (the proof sub- 
stitution is a “global” operation) . 

Definition 2 (Global Cut-Elimination Procedure). The cut-elimination 
procedure (TUa, ^^^> ) is the term rewriting system where: 

• TUa is the set of well-typed but completely unlabelled terms, and 

• consists of the reduction rules for logical and commuting cuts; that is 

gbl ) I y y c' ^ _ 

A proof of strong normalisation for (TUa, -^^) is given in [I 1112) . There is 
no known technique that would give a strong normalisation result for (Ta, ^°“> ) 
via a simple translation from Ta to TUa • This is similar to the situation with the 
lambda-calculus and Ax: strong normalisation for the explicit substitution cal- 
culus does not follow directly from strong normalisation of the lambda-calculus. 
Indeed as shown in 0 explicit substitution calculi, if defined naively, may break 
the strong normalisation property. So the proof we shall present next is rather 
involved. 
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5 Proof of Strong Normalisation 



In this section we shall give a proof for Theorem ^ In this proof we shall make 
use of the recursive path ordering by Dershowitz |5]. 

Definition 3 (Recursive Path Ordering). Let s = f{si,...,Sm) and t = 
g{ti, . . . ,tn) be terms, then s>^P°t iff 



(i) Si t for some i = 1, . . . ,m 
or (ii) f ^ g and s >’’p° tj for all j = 1, . . . , n 
or (hi) / = 5 and 



(subterm) 
(decreasing heads) 
(equal heads) 



where is a precedence defined over term constructors, >^°n is the extension 
of>’’P°to finite multisets and { ■ • ■ } stands for a multiset of terms; >’'p° means 
>rpo Qj. equivalent up to permutation of subterms. 

The recursive path ordering theorem says that >*'^’°is well-founded iff the prece- 
dence of the term constructors, is well-founded. Unfortunately, two problems 
preclude a direct application of this theorem. 

• First, the theorem requires a well-founded precedence for our term con- 
structors. However, our reduction rules include the two reductions (written 
schematically) 



Cut(_, _) 
Cut(Cut(_,_),_) 



Cut(_,_) 

Cut(CiJt(_, _), Cut(_, _)) 



and consequently we have a cycle between Cut and Cut. In a clever 
solution for an analogous problem in Ax was presented. We shall adapt this 
solution for our rewrite system. The essence of this solution is that we take 
into account (in a non-trivial way) that (TUa, ^^S ) is strongly normalising. 
The second problem arises from the fact that the recursive path ordering the- 
orem applies only to first-order rewrite systems, i.e., no binding operations 
are allowed. In our term calculus however we have two binding operations: 
one for names and one for co-names. We solve this problem by introducing 
another term calculus, denoted by TC, for which we can apply this theorem, 
and then prove strong normalisation for (Ta, ^°'^> ) by translation. 



The first important fact in our proof is that 
which is clearly not. 



->■ is confluent, in contrast to 



->■ is strongly normalising and confluent. 



Lemma 1. The reduction 

Proof. We can show the first part of the lemma by a simple calculation using 
the measure, [_], that is 1 for axioms and that is the sum of the measures of the 
subterms increased by 1 for And/{(_, _); similarly for And)^(_) and Cut(_, _). 
For the labelled cuts we have: 

L (d of 

[Cut((a)M, (a:)iV)] = ([M] -t 1) * (4|[iV] -b 1) 

|[C(rt((a>M, (a:)iV)] (4[M] -b 1) * (|[iV] + 1) 



Strong Normalisation for a Gentzen-Iike Cnt-Elimination Procedure 



425 



This gives [M] > [A'^] whenever M — > N . Confluence of > follows from local 
confluence, which can be easily established, and strong normalisation. □ 

As a result, we can define the unique a;-normal form of a term belonging to T^. 

Definition 4. The unique x-normal form of a term M G Ta is denoted by \M\^. 

By a careful case analysis we can show that for all M G Ta the a;-normal form 
\M\x is an element TUa, i.e., is well-typed and completely unlabelled. The details 
are omitted. 

Next we shall prove that - > correctly simulates the proof substitution op- 
eration of 

Lemma 2. For all M, TV G Ta we have 

(i) \C\k{{a)M,{y)N)\a; = \M\^{a := iy) \N\^} 

(ii) \Cui{{a)N,{y)M)\^ = \M\^{y := (a) \N\^} 

Proof. We can show the lemma by induction on M in case M is completely 
unlabelled. We can then prove the lemma for all terms by a simple calculation, 
as illustrated next for (i): by uniqueness of the x-normal form we have that 
|Cut(<a)M, (y)7V)|a; = |Cut(<a> |M|a,, (y) |A^|a,)| 2 , and, because \M\^ is completely 
unlabelled, this is |M|a,{a := iy) |A^U}. □ 

Now we are in a position to show another important fact in our proof, namely 
that the -^^-reductions project onto -2^-reductions. 

Lemma 3. For all terms M, G Ta if M N then \M\x |A^|a;. 

Proof. By induction on the definition of □ 

As mentioned earlier, this lemma is not strong enough to prove strong normali- 
sation of ^°°> . To prove this property we shall use a translation that maps every 
■ °'^> -reduction onto a pair of terms belonging to the set TC, defined as follows. 

Definition 5. Let TC be the set of all terms generated by the grammar 

M, iV ::= * I M •„ fV I M(iV)„ | (M)„iV | (|M, N\) \ (\M\) 

where n is a natural number. The well-founded precedence ;g> is given by 

’n+l ( )n ) ( )n ^ ‘n d |), d t D • 

To define the translation we shall use, as it turns out later, an alternative def- 
inition of the set Ta . This alternative definition is required in order to strengthen 
an induction hypothesis. 

Definition 6. The set of bounded terms, “Ba, consists of well-typed terms M 
wherby for every subterm N of the M the corresponding x-normal form, |A^|a,, 
must be strongly normalising with respect to 
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Clearly, we now have to show the fact that 

Lemma 4. The set of bounded terms is closed under -^^-reductions. 
Proof. By induction on the definition of using Lemma 0 
Next we define the translation from bounded terms to terms of TC. 



Definition 7. The translation _ : ® — >■ Jf is inductively defined by the clauses 



Ax(a:, a) = * 

Cut((a>S, (x)T) 
Cirt((a>S', (x)T) 
Cut((a>S', (x)T) 



Htfjf Hof 

And R{(a)S,(b)T,c) = (|5,r|) Andl{(x)S,y) = (|5|) 


def ^ 

= 1_ 


Hpf 

l = MAXREDgw( Cut(<a>S', (DT)^!) 


S{T)m 


Hpf 

m = MAXREDgw( Cut((a>S', (a:)r) 3,) 


{S)„T 


Hpf — 

n = MAXREDgw( Cut((a>S', (a:)r) 3,) 



where MAXREDgt,;(|M|a;) denotes the number of steps of the longest -2M^_reduc- 
tion sequence starting from the x-normal form of M . Clearly, this translation 
is well-defined since it is restricted to bounded terms. The next lemma will be 
applied when we need to compare labels of terms in IK. 



Lemma 5. For all terms M, N G "B we have 

(i) MAXREDgw(|M|a,) > MAXREDg{,/(|lV|2;), provided M N. 

(ii) MAXREDgf,/(|M| 2 ,) > MAXREDgb/d A^la;), provided N is an immediate subterm 
of M and M is unlabelled. 

(iii) MAXREDgf,/(|M|,j) >MAXREDgb;(|A^|a,), provided M — N or M — ^ N on 
the outermost level. 



Proof, (i) follows from Lemma0 for (ii) note that all reductions which |7V|a, can 
perform can be performed by (iii) is by a simple calculation and the fact 

that the side conditions put on ° > ensures that |M|a; |lV|x- □ 

We shall now prove the (main) lemma, which relates a ■ °'^> -reduction to a pair 
of terms belonging to K and ordered decreasingly according to 

Lemma 6. For all terms M, N G B if M ■ °'^> N, then M_>^p° N_. 

Proof. By induction on the definition of As there are many possible re- 

ductions, we shall present only a few representative cases. First we give one case 
where an inner reduction occurs (we shall write rpo for Definition 0) . 

• M = Cut(<a)S', ix)T) Cut(<a>5', ix)T) = N 

(1) S S' and S>'~p° Sf by assumption and induction 

(2) M = ^ T and A) = ^ •„ T by Definition Q 

(3) m > n by Lemma 0i) 

{4)S-mT>^P‘’Sf, S-mT>-P°T,iS,T} >Zlit by (1) and rpo(i) 

(5) M_>''P° N_ by (4) and rpo(ii,iii) 

-^-reduction is performed 



We now show two typical cases where an 
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M = CuX{{c)/Kr\An{{a)S,{b)T,c),(x)U) 

— ^ Cut(<c)Andi{(<a>Cut({c>S', {x)U), {b)Cui{ic)T, 
{l)M=(\S,THU)m and N=(\S{U)r,T{U)s\)-tU 

(2) m> t,r,s and —{—)m ^ —-t — by Lemma 

(3) iiS,T\){U)m>^P°U, 

(4) 

(5) iiS,T\){U)m>^P°T{U)s 

( 6 ) i\S,Tm)rn>^P° mU)r,T{U)s^ 

(7) IS,T\){U)m>^P°U 

( 8 ) M>'^P°N 

M = Cui{(d) And ii{{a)S, (b)T, c), ix)U) 

— ^ Andfl((a)Cut(((i>S', ix)U), ib)C\h{id)T, ix)U), 

(1) M = (\S,T^ (0„ and N = (\S{U)r,T{U)^\) 



ix)U),c), ix)U) = N 

by Definition 0 
0^i,ii) and Definition 0 



( 2 ) m > r, s 

(3) l\S,TUU)m>'^P°S, l\S,TUU)r 

(4) i\S,T\){U)m>^P° S{U)r 

(5) i\S,T\){U)m>^P°T{U)s 

( 6 ) M>'^P°N 



>Zuit l^,C^fby rpo(i) 
by (3) and rpo(ii,iii) 
analogous to (3,4) 
by (4,5) and rpo(ii) 
by rpo(i) 
by (2,6,7) and rpo(ii) 

c) = N 

by Definition 0 
by Lemma 0i,ii) 
>^P‘>U, {(5,T^,C/f >z:u l^aby rpo(i) 
by (3) and rpo(ii,iii) 
analogous to (3,4) 
by (4,5) and rpo(ii) 



Last we tackle two cases, one where a commuting reduction and one where a 
logical reduction occurs. 



M = Cut((a)5', ix)T) 

{l)M = S-^T and N = S{T) 
(2) m > n and _ > — (— )« 



> Cuf((a)5,(a;)r) = N 

by Definition 0 
by Lemma 0iii) and Definition 0 



(3) and S-mT>''^°T 

(4) M>'^P°N 

M = Cut((c>Andfl((a)«S', {b)T, c), (y) And\{(x)U , y)) 

(1) M = <\S,T^ -m m and iV = 5 •„ C/ 

(2) m > n 

(3) (\S,T\) -m ® -m 

(4) M>'^P°N 



by rpo(i) 
by (2,3) and rpo(ii) 
Cut((a)5', (x)U) = N 

by Definition 0 
by Lemma 0iii) 
by rpo(i) 
by (2,3) and rpo(ii) 



Using this lemma we can show that every ■ °'^> -reduction sequence starting from 
a term belonging to TUa is terminating. 



Lemma 7. Every ■ °'^> -reduction sequence starting with a term that belongs to 
“JUa is terminating. 



Proof. Suppose for the sake of deriving a contradiction that from M the infinite 
reduction sequence M = Mi M 2 M 3 M 4 . . . starts. Because 
M is completely unlabelled we have for all subterms N of M that | A^ja, = N, and 
because M is well-typed we know that each of them is strongly normalising under 
Consequently, every MAXREDg/b(|Af|a,) is finite, and thus M is bounded. By 
Lemmas 0 and 0 we have that the infinite reduction sequence starting from M 
can be mapped onto the decreasing chain Mi >’’p° M 2 >’'p° M 3 M 4 >’’p° . . . 
which however contradicts the well-foundedness of>’’^°. Thus all > -reduction 
sequences starting with a term that is an element in TUa must terminate. □ 
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Next, we extend this lemma to all terms of 7/^. To do so, we shall first show that 
for every M G 7a, there is a term N G TUa, such that N ■ °°> * M. Because N 
is an element in TUa, we have that N is strongly normalising by the lemma just 
given, and so M, too, must be strongly normalising. 

Lemma 8. For every term M G 7 a with the typing judgement F > M > A, 
there is a term N G TUa with the typing judgement F' , F > N > A, A' such that 
N M. 

Proof. We construct N by inductively replacing in M all occurrences of Cut and 
Cut by some instances of Cut. We analyse the case where Cui{ia) S , ix)T) is a 
subterm of M. 

• If the subterm S does not freshly introduce a, then we replace Cut(<a)S', ix)T) 
simply by Cut((a>5', ix)T) (both terms have the same typing judgement). In 
this case we have Cut((a>5', ix)T) — £->• Cut({a)S', ix)T). 

• The more interesting case is where S freshly introduces a. Here we cannot 
simply replace Cut with Cut, because there is no reduction with N ■ °'^> * M. 
Therefore we replace Cut((a)S', (x)T) by Cut((a)Cut(<6)S', (y)Ax(j/, c)), (xlT) 
in which b and c are fresh co-names that do not occur anywhere else (this 
ensures that the new cut-instances are well-typed). Now we show how the 
new term can reduce. Because Cut(<5)S', (y)Ax(y, c)) does not freshly intro- 
duce a, we can first perform two commuting reductions and subsequently we 
can remove the labelled cut by a > -reduction, viz. 

Cut((a>Cut((fe>5', (y)Ax{y, c)), (x)T) — ^ Cut((a>Cut((6>S, (y)Ax(j/, c)), (x)T) 

— Cut({a>Cut(<&)5', (t/)Ax(y, c)), (x)T) 

Cut{(a}S,(x)T) □ 

Now the proof of Theorem ^ is by a simple contradiction argument. 

Proof of Theorem H Suppose M G 7a is not strongly normalising. Then by 
the lemma just given there is a term N G TUa such that N ■ °'^> * M. Clearly, if 
M is not strongly normalising, then so is N , which however contradicts LemmaQ 
Consequently, M must be strongly normalising. □ 

6 Conclusion 

In this paper we considered the problem of defining a strongly normalising cut- 
elimination procedure for classical logic that satisfies the three criteria given 
in the introduction and that is Gentzen-like. While Gentzen-like cut-elimination 
procedures tend to break strong normalisation, in this paper we have shown that 
this property can be retained by introducing labelled cuts. For reasons of space 
we have given our system for only the A-fragment. However, our techniques apply 
to the other connectives and to the first-order quantifiers. This should provide 
us with a bridge between our earlier calculus and an implementation. 
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There are many directions for further work. For example what is the precise 
correspondence in the intuitionistic case between normalisation in the lambda- 
calculus (with explicit substitutions) and our strongly normalising cut-elimi- 
nation procedure? This is of interest since the Gentzen-like cut-elimination pro- 
cedure presented in this paper is rather helpful in proving strong normalisation 
of other reduction systems by simple translations (e.g. the lambda-calculus, Ax 
and Parigot’s A/x). Some of these issues are addressed in |TT] . 
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